emdash 0.8.0 → 0.9.0

package/src/cli/commands/publish.ts

@@ -21,6 +21,7 @@ import { createGzipDecoder, unpackTar } from "modern-tar";
 import pc from "picocolors";
 
 import { pluginManifestSchema } from "../../plugins/manifest-schema.js";
+import { CAPABILITY_RENAMES, isDeprecatedCapability } from "../../plugins/types.js";
 import {
 	getMarketplaceCredential,
 	saveMarketplaceCredential,
@@ -440,6 +441,29 @@ export const publishCommand = defineCommand({
 		}
 		console.log();
 
+		// ── Step 2.5: Hard-fail on deprecated capability names ──
+		//
+		// Refusing to publish manifests that use deprecated capability names
+		// keeps the marketplace clean while the deprecation window is open.
+		// The fix is mechanical and entirely in the author's hands — they
+		// rename, re-bundle, and republish. Better to refuse 5 publishes
+		// than ship 500 deprecated manifests. We check before authentication
+		// so authors don't burn a device-flow login on a doomed publish.
+		const deprecatedCaps = manifest.capabilities.filter(isDeprecatedCapability);
+		if (deprecatedCaps.length > 0) {
+			consola.error(
+				"Plugin declares deprecated capability names. Rename them and re-bundle before publishing:",
+			);
+			for (const cap of deprecatedCaps) {
+				const replacement = CAPABILITY_RENAMES[cap];
+				consola.error(`  ${cap} → ${replacement}`);
+			}
+			consola.error(
+				"See https://emdashcms.com/docs/plugins/overview#capabilities for the full rename table.",
+			);
+			process.exit(1);
+		}
+
 		// ── Step 3: Authenticate ──
 		//
 		// Priority: EMDASH_MARKETPLACE_TOKEN env var > stored credential > interactive device flow.

package/src/cli/commands/secrets.ts

@@ -0,0 +1,183 @@
+/**
+ * Secrets CLI commands
+ *
+ * Pure (no-DB) commands for working with EmDash secrets:
+ *
+ * - `emdash secrets generate` — emits a fresh `EMDASH_ENCRYPTION_KEY`.
+ *   Optionally writes it to `.dev.vars` (Workers) or `.env` (Node).
+ * - `emdash secrets fingerprint <key>` — prints the kid for a key,
+ *   useful in CI for verifying what's been deployed without exposing
+ *   the raw value.
+ *
+ * DB-touching commands (`status`, `migrate`, `rotate`) live elsewhere:
+ * the CLI process can't open the production D1/Postgres binding from
+ * the operator's machine, so those operations ship as admin HTTP
+ * endpoints in a later PR. A thin `--site <url>` wrapper for those
+ * endpoints can land alongside.
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+import { defineCommand } from "citty";
+import { consola } from "consola";
+import pc from "picocolors";
+
+import { EmDashSecretsError, fingerprintKey, generateEncryptionKey } from "../../config/secrets.js";
+
+const KEY_VAR_NAME = "EMDASH_ENCRYPTION_KEY";
+/** Matches a populated entry — `KEY=<at least one char>`. */
+const POPULATED_KEY_LINE_PATTERN = /^EMDASH_ENCRYPTION_KEY=.+$/m;
+/**
+ * Matches any line starting `KEY=` including `KEY=` with empty value.
+ * Used for in-place replacement when the entry exists but has no value.
+ */
+const ANY_KEY_LINE_PATTERN = /^EMDASH_ENCRYPTION_KEY=.*$/m;
+
+/**
+ * Append (or replace) `EMDASH_ENCRYPTION_KEY` in a dotenv-style file.
+ *
+ * Idempotent: if the entry exists with a populated value, leaves it alone
+ * (returns `"skipped"`) unless `force` is set. An entry with an empty
+ * value (`EMDASH_ENCRYPTION_KEY=`) is treated as "not set" and gets
+ * replaced — placeholder lines aren't a reason to refuse.
+ *
+ * Always ends the resulting file with a trailing newline. Doesn't touch
+ * other variables.
+ *
+ * Exported for tests.
+ */
+export function writeEncryptionKeyToFile(
+	targetPath: string,
+	value: string,
+	force: boolean,
+): "wrote" | "skipped" {
+	const exists = existsSync(targetPath);
+	const existing = exists ? readFileSync(targetPath, "utf-8") : "";
+
+	const hasPopulatedKey = POPULATED_KEY_LINE_PATTERN.test(existing);
+	if (hasPopulatedKey && !force) {
+		return "skipped";
+	}
+
+	const newLine = `${KEY_VAR_NAME}=${value}`;
+	let next: string;
+	if (ANY_KEY_LINE_PATTERN.test(existing)) {
+		// In-place replace handles both populated-and-forced and empty-value
+		// cases. Then ensure trailing newline.
+		next = existing.replace(ANY_KEY_LINE_PATTERN, newLine);
+		if (!next.endsWith("\n")) next += "\n";
+	} else {
+		// Append. Insert a separating newline only if the file has content
+		// not already ending in one.
+		const sep = existing.length === 0 ? "" : existing.endsWith("\n") ? "" : "\n";
+		next = `${existing}${sep}${newLine}\n`;
+	}
+
+	writeFileSync(targetPath, next);
+	return "wrote";
+}
+
+const generateCommand = defineCommand({
+	meta: {
+		name: "generate",
+		description: "Generate a new EmDash encryption key",
+	},
+	args: {
+		write: {
+			type: "string",
+			description:
+				"Optional path to write the key to (e.g. .dev.vars or .env). " +
+				"Won't overwrite an existing entry without --force.",
+		},
+		force: {
+			type: "boolean",
+			description: "When used with --write, overwrite an existing entry",
+			default: false,
+		},
+	},
+	run({ args }) {
+		const value = generateEncryptionKey();
+
+		if (args.write) {
+			const targetPath = resolve(process.cwd(), args.write);
+			const result = writeEncryptionKeyToFile(targetPath, value, args.force);
+			if (result === "skipped") {
+				// Idempotent no-op: entry already populated. Exit 0 so chained
+				// scripts (`emdash secrets generate --write && pnpm dev`) don't
+				// break. Pass --force to replace, with full awareness that
+				// existing encrypted secrets become unreadable.
+				consola.info(
+					`${KEY_VAR_NAME} already set in ${pc.cyan(args.write)}; leaving it alone. ` +
+						`Pass ${pc.bold("--force")} to replace it.`,
+				);
+				return;
+			}
+			consola.log("");
+			consola.log(`${pc.bold("Wrote")} ${pc.cyan(KEY_VAR_NAME)} to ${pc.cyan(args.write)}`);
+			consola.log("");
+			consola.log(
+				pc.yellow(
+					"Keep this file out of version control. Losing the key means losing every secret encrypted with it.",
+				),
+			);
+			consola.log("");
+			return;
+		}
+
+		// Print the key to stdout (one line, no decoration) so it can be
+		// piped into env files or secret-management tools without scraping.
+		// Explanatory text goes to stderr so it doesn't pollute the pipe.
+		process.stdout.write(`${value}\n`);
+		const guidance = [
+			"",
+			pc.bold("EmDash encryption key generated."),
+			"",
+			`Set ${pc.cyan(KEY_VAR_NAME)} in your environment.`,
+			"For Cloudflare deployments, push it to your Worker's secrets.",
+			"For Node deployments, add it to your process environment or .env file.",
+			"",
+			pc.yellow("Keep this value secret. Losing it means losing every secret encrypted with it."),
+			"",
+		].join("\n");
+		process.stderr.write(`${guidance}\n`);
+	},
+});
+
+const fingerprintCommand = defineCommand({
+	meta: {
+		name: "fingerprint",
+		description: "Print the kid (8-char fingerprint) for an encryption key",
+	},
+	args: {
+		key: {
+			type: "positional",
+			description: "The full key value (with the emdash_enc_v1_ prefix)",
+			required: true,
+		},
+	},
+	async run({ args }) {
+		try {
+			const kid = await fingerprintKey(args.key);
+			// Newline-only on stdout so it pipes cleanly into env/CI logs
+			// without leaking the raw key.
+			process.stdout.write(`${kid}\n`);
+		} catch (error) {
+			consola.error(
+				error instanceof EmDashSecretsError ? error.message : "Failed to fingerprint key",
+			);
+			process.exit(1);
+		}
+	},
+});
+
+export const secretsCommand = defineCommand({
+	meta: {
+		name: "secrets",
+		description: "Manage EmDash secrets (generate, inspect)",
+	},
+	subCommands: {
+		generate: generateCommand,
+		fingerprint: fingerprintCommand,
+	},
+});

package/src/cli/credentials.ts

@@ -130,7 +130,7 @@ function readStore(): CredentialStore {
 
 function writeStore(store: CredentialStore): void {
 	const dir = getConfigDir();
-	mkdirSync(dir, { recursive: true });
+	mkdirSync(dir, { recursive: true, mode: 0o700 });
 
 	const path = getCredentialPath();
 	writeFileSync(path, JSON.stringify(store, null, "\t"), {

package/src/cli/index.ts

@@ -11,7 +11,8 @@
  * - dev: Run dev server with local D1
  * - seed: Apply a seed file to the database
  * - export-seed: Export database schema and content as a seed file
- * - auth: Authentication utilities (secret generation)
+ * - secrets: Generate and inspect EmDash secrets (encryption keys, etc.)
+ * - auth: [DEPRECATED] Generate auth secret (use `secrets` instead)
  * - login/logout/whoami: Session management
  * - content: Create, read, update, delete content
  * - schema: Manage collections and fields
@@ -36,6 +37,7 @@ import { menuCommand } from "./commands/menu.js";
 import { pluginCommand } from "./commands/plugin.js";
 import { schemaCommand } from "./commands/schema.js";
 import { searchCommand } from "./commands/search-cmd.js";
+import { secretsCommand } from "./commands/secrets.js";
 import { seedCommand } from "./commands/seed.js";
 import { taxonomyCommand } from "./commands/taxonomy.js";
 import { typesCommand } from "./commands/types.js";
@@ -53,6 +55,8 @@ const main = defineCommand({
 		doctor: doctorCommand,
 		seed: seedCommand,
 		"export-seed": exportSeedCommand,
+		secrets: secretsCommand,
+		// Deprecated alias kept for backwards compat; will be removed in a future minor.
 		auth: authCommand,
 		login: loginCommand,
 		logout: logoutCommand,

package/src/client/index.ts

@@ -723,8 +723,8 @@ export class EmDashClient {
 
 	/** List taxonomies */
 	async taxonomies(): Promise<Taxonomy[]> {
-		const data = await this.request<{ items: Taxonomy[] }>("GET", "/taxonomies");
-		return data.items;
+		const data = await this.request<{ taxonomies: Taxonomy[] }>("GET", "/taxonomies");
+		return data.taxonomies;
 	}
 
 	/** List terms in a taxonomy */
@@ -757,8 +757,8 @@ export class EmDashClient {
 
 	/** List menus */
 	async menus(): Promise<Menu[]> {
-		const data = await this.request<{ items: Menu[] }>("GET", "/menus");
-		return data.items;
+		// Handler returns a bare array, not { items: [...] }
+		return this.request<Menu[]>("GET", "/menus");
 	}
 
 	/** Get a menu with its items */

package/src/client/transport.ts

@@ -155,24 +155,34 @@ export function refreshInterceptor(options: {
 
 		if (!res.ok) return null;
 
-		const data = (await res.json()) as {
+		interface TokenFields {
 			access_token: string;
 			refresh_token?: string;
 			expires_in?: number;
-		};
-		const expiresAt = data.expires_in
-			? new Date(Date.now() + data.expires_in * 1000).toISOString()
+		}
+
+		const json = (await res.json()) as Record<string, unknown>;
+
+		// The token endpoint wraps the response in { data: ... } via apiSuccess.
+		// Handle both wrapped and bare shapes for robustness.
+		const tokenData: TokenFields =
+			json.data && typeof json.data === "object" && "access_token" in json.data
+				? (json.data as TokenFields)
+				: (json as unknown as TokenFields);
+
+		const expiresAt = tokenData.expires_in
+			? new Date(Date.now() + tokenData.expires_in * 1000).toISOString()
 			: new Date(Date.now() + 3600_000).toISOString();
 
 		if (options.onTokenRefreshed) {
 			options.onTokenRefreshed(
-				data.access_token,
-				data.refresh_token ?? options.refreshToken,
+				tokenData.access_token,
+				tokenData.refresh_token ?? options.refreshToken,
 				expiresAt,
 			);
 		}
 
-		return data.access_token;
+		return tokenData.access_token;
 	}
 
 	return async (request, next) => {

package/src/components/Break.astro

@@ -32,11 +32,11 @@ const style = node?.style || "line";
 	}
 	.emdash-break-line {
 		border: none;
-		border-top: 1px solid #e0e0e0;
+		border-top: 1px solid var(--emdash-break-color, var(--color-border, #e0e0e0));
 	}
 	.emdash-break-dots {
 		text-align: center;
-		color: #999;
+		color: var(--emdash-break-dots-color, var(--color-muted, #999));
 		letter-spacing: 0.5em;
 	}
 	.emdash-break-space {

package/src/components/EmDashHead.astro

@@ -20,8 +20,9 @@ import {
 	generateBaseSeoContributions,
 	generateSiteSeoContributions,
 } from "../page/seo-contributions.js";
+import { renderSiteIdentity } from "../page/site-identity.js";
 import { getPageRuntime } from "../page/index.js";
-import { getSiteSetting } from "../settings/index.js";
+import { getSiteSettings } from "../settings/index.js";
 
 interface Props {
 	page: PublicPageContext;
@@ -34,29 +35,32 @@ const runtime = getPageRuntime(Astro.locals as Record<string, unknown>);
 const baseContributions: PageMetadataContribution[] = generateBaseSeoContributions(page);
 
 let metadataHtml = "";
+let siteIdentityHtml = "";
 let fragmentsHtml = "";
 
 if (runtime) {
-	// Run independent async loads in parallel: site SEO settings (for
-	// search engine verification meta tags) and plugin page-metadata
-	// contributions. Plugin contributions come BEFORE site/base in the
-	// array, so resolvePageMetadata's first-wins dedup lets plugins
-	// override defaults.
+	// Run independent async loads in parallel: site settings (SEO meta
+	// tags + favicon) and plugin page-metadata contributions. Plugin
+	// contributions come BEFORE site/base in the contribution array,
+	// so resolvePageMetadata's first-wins dedup lets plugins override
+	// defaults.
 	//
-	// `getSiteSetting("seo")` is request-cached and — crucially — reads
-	// from `getSiteSettings()`'s cached batch when a parent template has
-	// already called it. So this is either a single-key query or free,
-	// not a second round-trip.
-	const [seoSettings, pluginContributions, fragments] = await Promise.all([
-		getSiteSetting("seo"),
+	// `getSiteSettings()` is request-cached and worker-cached, so when
+	// a parent template has already called it (the standard pattern in
+	// `Base.astro`), this is free. Otherwise it's a single batched
+	// query that supersedes any per-key fetch this component would
+	// otherwise have done.
+	const [siteSettings, pluginContributions, fragments] = await Promise.all([
+		getSiteSettings(),
 		runtime.collectPageMetadata(page),
 		runtime.collectPageFragments(page),
 	]);
 
-	const siteContributions = generateSiteSeoContributions(seoSettings);
+	const siteContributions = generateSiteSeoContributions(siteSettings.seo);
 	const allContributions = [...pluginContributions, ...siteContributions, ...baseContributions];
 	const resolved = resolvePageMetadata(allContributions);
 	metadataHtml = renderPageMetadata(resolved);
+	siteIdentityHtml = renderSiteIdentity({ favicon: siteSettings.favicon });
 	fragmentsHtml = renderFragments(fragments, "head");
 } else {
 	// No runtime (EmDash not initialized) — still render base SEO
@@ -66,4 +70,5 @@ if (runtime) {
 ---
 
 <Fragment set:html={metadataHtml} />
+<Fragment set:html={siteIdentityHtml} />
 <Fragment set:html={fragmentsHtml} />

package/src/components/Embed.astro

@@ -121,7 +121,7 @@ const isSelfHostedAudio = provider === "audio";
 	}
 	.emdash-embed figcaption {
 		font-size: 0.875rem;
-		color: #666;
+		color: var(--emdash-caption-color, var(--color-muted, #666));
 		margin-top: 0.5rem;
 		text-align: center;
 	}

package/src/components/Gallery.astro

@@ -83,7 +83,7 @@ if (!images.length) {
 	}
 	.emdash-gallery-item figcaption {
 		font-size: 0.75rem;
-		color: #666;
+		color: var(--emdash-caption-color, var(--color-muted, #666));
 		margin-top: 0.25rem;
 		text-align: center;
 	}

package/src/components/Image.astro

@@ -176,7 +176,7 @@ const imgStyle = placeholderStyle ? `${baseStyle} ${placeholderStyle}` : baseSty
 	}
 	.emdash-image figcaption {
 		font-size: 0.875rem;
-		color: #666;
+		color: var(--emdash-caption-color, var(--color-muted, #666));
 		margin-top: 0.5rem;
 		text-align: center;
 	}

package/src/components/InlinePortableTextEditor.tsx

@@ -10,7 +10,7 @@
  */
 
 import { autoUpdate, flip, offset, shift, useFloating } from "@floating-ui/react";
-import { Extension, type JSONContent, type Range } from "@tiptap/core";
+import { Extension, Node, mergeAttributes, type JSONContent, type Range } from "@tiptap/core";
 import Focus from "@tiptap/extension-focus";
 import Image from "@tiptap/extension-image";
 import Link from "@tiptap/extension-link";
@@ -202,12 +202,18 @@ function convertPMNode(node: PMNode): PTBlock | PTBlock[] | null {
 		}
 		case "horizontalRule":
 			return { _type: "break", _key: k(), style: "lineBreak" };
-		case "pluginBlock":
+		case "pluginBlock": {
+			// Spread the captured data back out so the block round-trips losslessly.
+			// `data` holds every field except _type / _key / id (which live on
+			// dedicated attrs).
+			const { blockType, id, data } = node.attrs ?? {};
 			return {
-				_type: attrStr(node.attrs, "blockType") || "embed",
+				...(data && typeof data === "object" ? data : {}),
+				_type: typeof blockType === "string" ? blockType : "embed",
 				_key: k(),
-				id: attrStr(node.attrs, "id"),
+				id: typeof id === "string" ? id : "",
 			};
+		}
 		default:
 			return null;
 	}
@@ -412,21 +418,23 @@ function convertPTBlock(block: PTBlock): JSONContent | null {
 			},
 		};
 	}
-	// Unknown block types — treat as plugin blocks if they have an id
-	const embedBlock = block as { _type: string; url?: string; id?: string };
-	if (embedBlock.id || embedBlock.url) {
-		return {
-			type: "pluginBlock",
-			attrs: {
-				blockType: block._type,
-				id: embedBlock.id || embedBlock.url || "",
-			},
-		};
-	}
-	// Truly unknown — render as code-marked text
+	// Unknown block types — treat as plugin blocks. Capture every field other
+	// than the well-known ones into `data` so the block round-trips losslessly,
+	// even if no plugin currently registers this type. Matches the admin
+	// editor's behaviour at PortableTextEditor.tsx:572-588.
+	const { _type, _key, id, url, ...rest } = block as { _type: string; _key: string } & Record<
+		string,
+		unknown
+	>;
+	// Filter out _-prefixed keys to prevent accumulation across edit cycles.
+	const data = Object.fromEntries(Object.entries(rest).filter(([key]) => !key.startsWith("_")));
 	return {
-		type: "paragraph",
-		content: [{ type: "text", text: `[${block._type}]`, marks: [{ type: "code" }] }],
+		type: "pluginBlock",
+		attrs: {
+			blockType: typeof _type === "string" ? _type : "embed",
+			id: typeof id === "string" ? id : typeof url === "string" ? url : "",
+			data,
+		},
 	};
 }
 
@@ -762,6 +770,61 @@ const initialSlashMenuState: SlashMenuState = {
 	range: null,
 };
 
+/**
+ * Minimal `pluginBlock` TipTap node for the inline (visual-editing) editor.
+ *
+ * Plugin-contributed Portable Text block types (e.g. `marketing.hero`) are
+ * editable in the admin via a Block Kit modal. The visual-editing surface
+ * deliberately does NOT offer that UX — it would need to fetch the manifest,
+ * mount the modal, and round-trip through plugin-block plumbing that lives in
+ * `@emdash-cms/admin`. Instead, the inline editor renders these blocks as a
+ * read-only placeholder so editors can see they exist and edit the surrounding
+ * content without losing the block's data.
+ *
+ * The full block payload is preserved on `data` and round-tripped losslessly
+ * through PT ↔ PM conversion (see convertPTBlock/convertPMNode). Without this
+ * extension, ProseMirror's schema would silently filter unknown nodes on load
+ * and the next save would persist the block's disappearance.
+ */
+const PluginBlockNode = Node.create({
+	name: "pluginBlock",
+	group: "block",
+	atom: true,
+	selectable: true,
+	draggable: true,
+
+	addAttributes() {
+		// All three attributes are stored on the ProseMirror node but not
+		// rendered as DOM attributes — they're metadata for the round-trip,
+		// not styling or behaviour the placeholder DOM needs to expose.
+		const noDom = { rendered: false, parseHTML: () => null };
+		return {
+			blockType: { default: "", ...noDom },
+			id: { default: "", ...noDom },
+			data: { default: {}, ...noDom },
+		};
+	},
+
+	parseHTML() {
+		return [{ tag: 'div[data-emdash-plugin-block="true"]' }];
+	},
+
+	renderHTML({ HTMLAttributes, node }) {
+		const blockType = typeof node.attrs.blockType === "string" ? node.attrs.blockType : "";
+		const label = blockType || "Block";
+		return [
+			"div",
+			mergeAttributes(HTMLAttributes, {
+				"data-emdash-plugin-block": "true",
+				"data-block-type": blockType,
+				class: "emdash-plugin-block-placeholder",
+				contenteditable: "false",
+			}),
+			`Plugin block: ${label} (edit in admin)`,
+		];
+	},
+});
+
 function createSlashCommandsExtension(options: {
 	filterCommands: (query: string) => SlashCommandItem[];
 	onStateChange: React.Dispatch<React.SetStateAction<SlashMenuState>>;
@@ -1734,6 +1797,7 @@ export function InlinePortableTextEditor({
 				mode: "all",
 			}),
 			Typography,
+			PluginBlockNode,
 			slashCommandsExtension,
 		],
 		content: initialContent,
@@ -1932,7 +1996,29 @@ export function InlinePortableTextEditor({
 				.emdash-inline-editor:focus {
 					outline: none;
 				}
+				.emdash-plugin-block-placeholder {
+					margin: 0.75rem 0;
+					padding: 0.625rem 0.875rem;
+					border: 1px dashed #d1d5db;
+					border-radius: 0.5rem;
+					background: #f9fafb;
+					color: #4b5563;
+					font-size: 0.875rem;
+					font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+					user-select: none;
+				}
+				@media (prefers-color-scheme: dark) {
+					.emdash-plugin-block-placeholder {
+						border-color: #374151;
+						background: #111827;
+						color: #9ca3af;
+					}
+				}
 			`}</style>
 		</div>
 	);
 }
+
+// Test-only exports for unit tests of the conversion functions.
+export { pmToPortableText as _pmToPortableText };
+export { portableTextToPM as _portableTextToPM };