includio-cms 0.13.2 → 0.13.3

package/CHANGELOG.md

@@ -3,6 +3,26 @@
 All notable changes to includio-cms are documented here.
 Generated from `src/lib/updates/` — do not edit manually.
 
+## 0.13.3 — 2026-03-23
+
+Security hardening, per-language content fixes
+
+### Added
+- Timing-safe API key comparison (prevents timing attacks)
+- MIME type blocklist on upload and file replace endpoints
+- Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy
+- CMS constructor validates that at least one language is configured
+
+### Fixed
+- Form submission rate limiting applies to all requests (not just multipart uploads)
+- Form submission uses SvelteKit getClientAddress() instead of spoofable x-forwarded-for header
+- Removed demo reset endpoint with hardcoded fallback secret
+- Added .catch() handlers for unhandled promise rejections in admin components
+- Per-language content language state and entry label fixes
+
+### Breaking
+- CMS config with empty languages array now throws an error at initialization
+
 ## 0.13.2 — 2026-03-20
 
 Upload limits, stable reordering, relation filters, image style optimization

package/ROADMAP.md

@@ -229,6 +229,16 @@
 - [x] `[fix]` `[P1]` Concurrent image style generation with buffer reuse (download once, parallel limit 3) <!-- files: src/lib/core/server/media/styles/operations/generateDefaultStyles.ts, src/lib/core/server/media/styles/sharp/generateImageStyle.ts -->
 - [x] `[fix]` `[P1]` Image style resolution gracefully skips missing styles <!-- files: src/lib/core/server/fields/utils/imageStyles.ts -->
 
+## 0.13.3 — Security hardening
+
+- [x] `[fix]` `[P0]` Timing-safe API key comparison (prevents timing attacks) <!-- files: src/lib/admin/api/rest/middleware/apiKey.ts -->
+- [x] `[fix]` `[P0]` Remove demo reset endpoint with hardcoded fallback secret <!-- files: src/routes/api/demo/reset/ -->
+- [x] `[fix]` `[P1]` Form rate limit: all requests + getClientAddress() instead of x-forwarded-for <!-- files: src/routes/api/forms/[slug]/submit/+server.ts -->
+- [x] `[feature]` `[P1]` MIME blocklist on upload/replace endpoints <!-- files: src/lib/core/server/media/mimeBlocklist.ts -->
+- [x] `[feature]` `[P1]` Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy <!-- files: src/lib/sveltekit/server/handle.ts -->
+- [x] `[fix]` `[P1]` CMS constructor validates non-empty languages array <!-- files: src/lib/core/cms.ts -->
+- [x] `[fix]` `[P2]` Unhandled promise rejection handlers in admin components
+
 ## 0.14.0 — SEO module
 
 - [ ] `[feature]` `[P1]` SERP preview + character limits for title/description <!-- files: src/lib/admin/components/fields/seo-field.svelte -->
@@ -246,8 +256,8 @@
 - [ ] `[feature]` `[P1]` `sanitizeHTML` utility — general HTML sanitization outside richtext (text fields, SEO fields)
 - [ ] `[feature]` `[P1]` CSP headers — Content-Security-Policy middleware
 - [ ] `[feature]` `[P1]` CSRF protection — tokens for mutating operations
-- [ ] `[feature]` `[P1]` Rate limiting — API/auth endpoints
-- [ ] `[chore]` `[P1]` Security audit — review `{@html}` usage, innerHTML, injection vectors
+- [x] `[feature]` `[P1]` Rate limiting — form submit endpoints (done in 0.13.3; admin/auth endpoints remaining)
+- [x] `[chore]` `[P1]` Security audit — timing attacks, MIME validation, demo endpoint, rate limiting (done in 0.13.3; `{@html}` review remaining)
 - [ ] `[chore]` `[P1]` Input sanitization audit — review all fields for XSS
 
 ## Backlog

package/dist/admin/api/replace.js

@@ -2,6 +2,7 @@ import { requireAuth } from '../remote/middleware/auth.js';
 import { replaceFile } from '../../core/server/media/operations/replaceFile.js';
 import { json } from '@sveltejs/kit';
 import { getMaxUploadSize } from '../../core/server/media/uploadLimit.js';
+import { isBlockedMimeType } from '../../core/server/media/mimeBlocklist.js';
 const MAX_UPLOAD_SIZE = getMaxUploadSize();
 export const POST = async ({ request }) => {
     requireAuth();
@@ -14,6 +15,9 @@ export const POST = async ({ request }) => {
     if (file.size > MAX_UPLOAD_SIZE) {
         return new Response('File too large', { status: 413 });
     }
+    if (isBlockedMimeType(file.type, file.name)) {
+        return new Response('File type not allowed', { status: 415 });
+    }
     if (!fileId || !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(fileId)) {
         return new Response('Invalid fileId', { status: 400 });
     }

package/dist/admin/api/rest/middleware/apiKey.js

@@ -1,3 +1,4 @@
+import { timingSafeEqual } from 'node:crypto';
 import { getCMS } from '../../../../core/cms.js';
 export function extractApiKey(event) {
     const authHeader = event.request.headers.get('authorization');
@@ -6,9 +7,14 @@ export function extractApiKey(event) {
     }
     return event.request.headers.get('x-api-key');
 }
+function safeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
 export function validateApiKey(key) {
     const cms = getCMS();
-    return cms.apiKeys.find((k) => k.key === key) ?? null;
+    return cms.apiKeys.find((k) => safeEqual(k.key, key)) ?? null;
 }
 export function setSyntheticUser(event, apiKey) {
     const name = apiKey.name || 'api';

package/dist/admin/api/upload.js

@@ -3,6 +3,7 @@ import { uploadFile } from '../../core/server/media/operations/uploadFile.js';
 import { getCMS } from '../../core/cms.js';
 import { json } from '@sveltejs/kit';
 import { getMaxUploadSize } from '../../core/server/media/uploadLimit.js';
+import { isBlockedMimeType } from '../../core/server/media/mimeBlocklist.js';
 const MAX_UPLOAD_SIZE = getMaxUploadSize();
 export const POST = async ({ request }) => {
     requireAuth();
@@ -15,6 +16,9 @@ export const POST = async ({ request }) => {
     if (file.size > MAX_UPLOAD_SIZE) {
         return new Response('File too large', { status: 413 });
     }
+    if (isBlockedMimeType(file.type, file.name)) {
+        return new Response('File type not allowed', { status: 415 });
+    }
     const dbFile = await uploadFile(file);
     if (tagIdsRaw) {
         try {

package/dist/admin/client/collection/collection-entries.svelte

@@ -155,7 +155,7 @@
 					...relationFilterOptions,
 					[field.slug]: labels.map((l) => ({ value: l.id, label: l.label }))
 				};
-			});
+			}).catch(() => {});
 		}
 	});
 
@@ -250,7 +250,7 @@
 		if (entriesQuery.current) {
 			fetchRelationLabels(entriesQuery.current.entries).then((l) => {
 				labelLookup = l;
-			});
+			}).catch(() => {});
 		}
 	});
 
@@ -286,7 +286,7 @@
 				return renderComponent(EntryLink, {
 					name: info.row.original.name,
 					url: info.row.original.url,
-					slug: info.row.original.slug?.[interfaceLanguage.current]
+					slug: info.row.original.slug
 				});
 			}
 		},
@@ -534,7 +534,11 @@
 		return {
 			id: entry.id,
 			name: getRawCollectionEntryLabel(entry, collection, contentLanguage.current),
-			slug: extractSlug(entry),
+			slug: (() => {
+				const s = extractSlug(entry);
+				if (!s) return undefined;
+				return collection.pathTemplate ? collection.pathTemplate.replace('{slug}', s) : s;
+			})(),
 			url: `/admin/entries/${entry.id}`,
 			status: getEntryStatus(entry),
 			createdAt: new Date(entry.createdAt),

package/dist/admin/client/collection/grid-view.svelte

@@ -85,7 +85,7 @@
 				</h3>
 				{#if item.slug}
 					<div class="text-muted-foreground truncate font-mono text-[10px]">
-						/{item.slug?.[interfaceLanguage.current]}
+						/{item.slug}
 					</div>
 				{/if}
 				<div class="mt-auto flex flex-col items-start gap-1.5 pt-2">

package/dist/admin/client/entry/entry-header.svelte

@@ -11,12 +11,11 @@
 	import LayoutSidebar from '@tabler/icons-svelte/icons/layout-sidebar';
 	import SendIcon from '@tabler/icons-svelte/icons/send';
 	import ChevronDownIcon from '@tabler/icons-svelte/icons/chevron-down';
-	import LanguageIcon from '@tabler/icons-svelte/icons/language';
+	import CopyIcon from '@tabler/icons-svelte/icons/copy';
 	import * as DropdownMenu from '../../../components/ui/dropdown-menu/index.js';
 	import { hasHybridContext, getHybridContext } from './hybrid/hybrid-context.svelte.js';
 	import { getEntryStatus } from './utils.js';
 	import { onMount } from 'svelte';
-	import type { LangStatus } from '../../utils/translationStatus.js';
 
 	const contentLanguage = getContentLanguage();
 	const interfaceLanguage = useInterfaceLanguage();
@@ -27,17 +26,20 @@
 			publish: string;
 			update: string;
 			saveDraft: string;
+			copyFrom: string;
 		}
 	> = {
 		en: {
 			publish: 'Publish',
 			update: 'Update',
-			saveDraft: 'Save draft'
+			saveDraft: 'Save draft',
+			copyFrom: 'Copy from'
 		},
 		pl: {
 			publish: 'Publikuj',
 			update: 'Aktualizuj',
-			saveDraft: 'Zapisz szkic'
+			saveDraft: 'Zapisz szkic',
+			copyFrom: 'Kopiuj z'
 		}
 	};
 
@@ -54,7 +56,7 @@
 		saveStatus?: SaveStatus;
 		isArchived?: boolean;
 		onScrollToIssue?: (fieldSlug: string, nodePos: number) => void;
-		translationStatus?: Record<string, LangStatus> | null;
+		onCopyFromLang?: (lang: string) => void;
 	};
 
 	let {
@@ -68,7 +70,7 @@
 		saveStatus = 'idle',
 		isArchived = false,
 		onScrollToIssue,
-		translationStatus = null
+		onCopyFromLang
 	}: Props = $props();
 	let { collection } = entry;
 
@@ -93,29 +95,8 @@
 	});
 	const shortcutLabel = $derived(isMac ? '⌘S' : 'Ctrl+S');
 
-	function statusDotClass(status: LangStatus | undefined): string {
-		if (!status) return 'bg-[var(--text-light)]';
-		if (status.status === 'complete') return 'bg-[var(--success)]';
-		if (status.status === 'partial') return 'bg-[var(--warning)]';
-		return 'bg-[var(--text-light)]';
-	}
-
-	function statusLabel(lang: string, status: LangStatus | undefined): string {
-		if (!status) return lang.toUpperCase();
-		if (status.status === 'complete') return `${lang.toUpperCase()} \u2713`;
-		if (status.status === 'partial') return `${lang.toUpperCase()} \u26A0`;
-		return lang.toUpperCase();
-	}
-
-	function statusTooltip(lang: string, status: LangStatus | undefined): string {
-		if (!status) return lang.toUpperCase();
-		if (status.status === 'complete') return `${lang.toUpperCase()}: 100%`;
-		const missing = status.missingFields.map((f) => f.label).join(', ');
-		return `${lang.toUpperCase()}: ${status.percentage}% — ${interfaceLanguage.current === 'pl' ? 'brakuje' : 'missing'}: ${missing}`;
-	}
-
-	const isNonDefaultLang = $derived(
-		contentLanguage.all.length > 1 && contentLanguage.current !== contentLanguage.all[0]
+	const otherLanguages = $derived(
+		contentLanguage.all.filter((l) => l !== contentLanguage.current)
 	);
 </script>
 
@@ -134,34 +115,46 @@
 		{#if contentLanguage.all.length > 1}
 			<div class="border-border bg-muted inline-flex overflow-hidden rounded-lg border">
 				{#each contentLanguage.all as lang}
-					{@const langStatus = translationStatus?.[lang]}
 					<button
 						type="button"
 						role="tab"
 						aria-selected={lang === contentLanguage.current}
-						title={statusTooltip(lang, langStatus)}
-						class="inline-flex items-center gap-1.5 px-2.5 py-1 text-xs font-semibold transition-colors {lang ===
+						title={lang.toUpperCase()}
+						class="inline-flex items-center px-2.5 py-1 text-xs font-semibold transition-colors {lang ===
 						contentLanguage.current
 							? 'text-primary bg-white shadow-sm ring-1 ring-primary/20'
 							: 'text-muted-foreground hover:text-foreground bg-transparent'}"
 						onclick={() => (contentLanguage.current = lang)}
 					>
-						<span class="size-2 shrink-0 rounded-full {statusDotClass(langStatus)}"></span>
-						{statusLabel(lang, langStatus)}
+						{lang.toUpperCase()}
 					</button>
 				{/each}
 			</div>
 
-			<!-- Reference mode toggle -->
-			<Button
-				variant="ghost"
-				size="icon-sm"
-				class={contentLanguage.referenceMode ? 'text-primary bg-[var(--lavender-lighter)]' : ''}
-				onclick={() => (contentLanguage.referenceMode = !contentLanguage.referenceMode)}
-				title={interfaceLanguage.current === 'pl' ? 'Tryb referencyjny' : 'Reference mode'}
-			>
-				<LanguageIcon class="size-4" />
-			</Button>
+			<!-- Copy from other language -->
+			{#if onCopyFromLang && otherLanguages.length > 0}
+				<DropdownMenu.Root>
+					<DropdownMenu.Trigger>
+						{#snippet child({ props })}
+							<button
+								{...props}
+								type="button"
+								class="text-muted-foreground hover:text-foreground inline-flex items-center rounded-md p-1.5 transition-colors hover:bg-[var(--lavender-lighter)]"
+								title={lang[interfaceLanguage.current].copyFrom}
+							>
+								<CopyIcon class="size-4" />
+							</button>
+						{/snippet}
+					</DropdownMenu.Trigger>
+					<DropdownMenu.Content align="end" class="w-48">
+						{#each otherLanguages as sourceLang}
+							<DropdownMenu.Item onclick={() => onCopyFromLang?.(sourceLang)}>
+								{lang[interfaceLanguage.current].copyFrom} {sourceLang.toUpperCase()}
+							</DropdownMenu.Item>
+						{/each}
+					</DropdownMenu.Content>
+				</DropdownMenu.Root>
+			{/if}
 
 			<div class="bg-border mx-1 h-5 w-px shrink-0"></div>
 		{/if}

package/dist/admin/client/entry/entry-header.svelte.d.ts

@@ -1,7 +1,6 @@
 import type { DbEntryVersion, RawEntry } from '../../../types/entries.js';
 import type { UpdateEntryVersionCommandType } from '../../../core/server/entries/operations/update.js';
 import type { Field } from '../../../types/fields.js';
-import type { LangStatus } from '../../utils/translationStatus.js';
 type SaveStatus = 'idle' | 'saving' | 'saved' | 'unsaved' | 'error';
 type Props = {
     entry: RawEntry;
@@ -14,7 +13,7 @@ type Props = {
     saveStatus?: SaveStatus;
     isArchived?: boolean;
     onScrollToIssue?: (fieldSlug: string, nodePos: number) => void;
-    translationStatus?: Record<string, LangStatus> | null;
+    onCopyFromLang?: (lang: string) => void;
 };
 declare const EntryHeader: import("svelte").Component<Props, {}, "">;
 type EntryHeader = ReturnType<typeof EntryHeader>;

package/dist/admin/client/entry/entry-version.svelte

@@ -1,5 +1,6 @@
 <script lang="ts">
 	import { page } from '$app/state';
+	import { getContentLanguage } from '../../state/content-language.svelte.js';
 	import type { RawEntry } from '../../../types/entries.js';
 	import Entry from './entry.svelte';
 
@@ -9,11 +10,16 @@
 
 	let { entry }: Props = $props();
 
+	const contentLanguage = getContentLanguage();
 	const version = $derived(page.url.searchParams.get('version') || '');
 
-	const editingEntry = $derived(
-		entry.versions.find((ver) => ver.id === version) || entry.versions[0]
-	);
+	const editingEntry = $derived.by(() => {
+		if (version) {
+			return entry.versions.find((ver) => ver.id === version) || entry.versions[0];
+		}
+		const lang = contentLanguage.current;
+		return entry.publishedVersions[lang] || entry.draftVersions[lang] || entry.versions[0];
+	});
 </script>
 
 {#key editingEntry.id}

package/dist/admin/client/entry/entry.svelte

@@ -26,7 +26,7 @@
 	import { getFieldsFromConfig, hasLayout } from '../../../core/fields/layoutUtils.js';
 	import type { ValidationErrors } from 'sveltekit-superforms';
 	import { createHybridContext } from './hybrid/hybrid-context.svelte.js';
-	import { onMount } from 'svelte';
+	import { onMount, setContext } from 'svelte';
 	import { get } from 'svelte/store';
 	const contentLanguage = getContentLanguage();
 	const remotes = getRemotes();
@@ -140,6 +140,9 @@
 	let { collection } = entry;
 	const isArchived = $derived(!!entry.archivedAt);
 
+	setContext('cms-path-template', collection.pathTemplate || null);
+	setContext('cms-entry-published', entry.publishedVersions[contentLanguage.current] != null);
+
 	// Create form once at component level — localized: false since data is flat single-language
 	const collectionSchema = generateZodSchemaFromFields(
 		getFieldsFromConfig(collection),
@@ -539,6 +542,21 @@
 
 	const t = $derived(lang[interfaceLanguage.current]);
 	const isHybrid = $derived(hybridContext.mode === 'hybrid' && !!collection.previewUrl);
+
+	function onCopyFromLang(sourceLang: string) {
+		const sourceVersion =
+			entry.draftVersions[sourceLang] ?? entry.publishedVersions[sourceLang];
+		if (!sourceVersion?.data) return;
+
+		const confirmMsg =
+			interfaceLanguage.current === 'pl'
+				? `Nadpisze aktualne dane danymi z wersji ${sourceLang.toUpperCase()}. Kontynuować?`
+				: `This will overwrite current data with data from ${sourceLang.toUpperCase()} version. Continue?`;
+
+		if (!confirm(confirmMsg)) return;
+
+		form.form.set(sourceVersion.data);
+	}
 </script>
 
 <div class={isHybrid ? 'flex h-full flex-col overflow-hidden' : ''}>
@@ -553,6 +571,7 @@
 		fields={getFieldsFromConfig(collection)}
 		getFormData={() => get(form.form)}
 		onScrollToIssue={scrollToIssue}
+		{onCopyFromLang}
 	/>
 
 	{#if validationErrors.length > 0}

package/dist/admin/components/fields/seo-field.svelte

@@ -8,15 +8,22 @@
 		MediaField,
 		SeoField,
 		SeoFieldData,
+		SlugField as SlugFieldType,
 		TextField
 	} from '../../../types/fields.js';
-	import { untrack } from 'svelte';
+	import { formFieldProxy, type FormPathLeaves } from 'sveltekit-superforms';
+	import Input from '../../../components/ui/input/input.svelte';
+	import * as Form from '../../../components/ui/form/index.js';
+	import { getContext, untrack } from 'svelte';
 	import slugify from '../../imports/slugify.js';
 	import { useInterfaceLanguage } from '../../state/interface-language.svelte.js';
 	import { getLocalizedLabel } from '../../utils/collectionLabel.js';
 	import { Switch } from '../../../components/ui/switch/index.js';
 
 	const interfaceLanguage = useInterfaceLanguage();
+	const pathTemplate = getContext<string | null>('cms-path-template');
+	const pathPrefix = pathTemplate ? pathTemplate.replace('{slug}', '') : '/';
+	const wasPublished = getContext<boolean>('cms-entry-published') ?? false;
 
 	type Props = {
 		field: SeoField;
@@ -172,6 +179,10 @@
 		return 'text-destructive';
 	}
 
+	// Slug field proxy for direct input binding
+	const slugPath = joinPath(String(path), 'slug');
+	const { value: slugValue } = formFieldProxy(form, slugPath as FormPathLeaves<Record<string, unknown>>);
+
 	// Auto-gen: track last auto-generated value
 	let lastAutoSlug = '';
 	let lastAutoTitle = '';
@@ -179,6 +190,7 @@
 	// Auto slug toggle
 	let autoSlug = $state((() => {
 		if (!field.slugSource) return false;
+		if (wasPublished) return false;
 		const sourceRaw = ($formData as Record<string, unknown>)[field.slugSource];
 		if (!sourceRaw || typeof sourceRaw !== 'string') return true;
 		const slugPath = joinPath(String(path), 'slug');
@@ -238,21 +250,23 @@
 </script>
 
 <div class="space-y-4">
-	<!-- Slug field with auto/manual toggle -->
-	<div>
-		{#if field.slugSource}
-			<div class="mb-1.5 flex items-center gap-2">
-				<span class="text-sm font-medium text-muted-foreground">Auto</span>
-				<Switch bind:checked={autoSlug} onCheckedChange={onAutoSlugToggle} />
-			</div>
-		{/if}
-		<FieldRenderer
-			field={slugField}
-			{form}
-			path={joinPath(path, 'slug')}
-			readonly={autoSlug}
-		/>
-	</div>
+	<!-- Slug field with auto/manual toggle + path prefix -->
+	<Form.Field {form} name={slugPath} class="space-y-1">
+		<div class="flex items-center justify-between">
+			<Form.Label>{getLocalizedLabel(labels.slug.label, interfaceLanguage.current)}</Form.Label>
+			{#if field.slugSource}
+				<div class="flex items-center gap-2">
+					<span class="text-sm font-medium text-muted-foreground">Auto</span>
+					<Switch bind:checked={autoSlug} onCheckedChange={onAutoSlugToggle} />
+				</div>
+			{/if}
+		</div>
+		<div class="flex">
+			<span class="border-input bg-muted text-muted-foreground flex h-9 shrink-0 items-center rounded-l-md border border-r-0 px-2.5 font-mono text-sm">{pathPrefix}</span>
+			<Input bind:value={$slugValue} readonly={autoSlug} class="rounded-l-none border-l-0" />
+		</div>
+		<Form.Description>{getLocalizedLabel(labels.slug.description, interfaceLanguage.current)}</Form.Description>
+	</Form.Field>
 	{#each fields as f}
 		<div>
 			<FieldRenderer

package/dist/admin/remote/entry.remote.js

@@ -1,4 +1,5 @@
 import { command, query } from '$app/server';
+import { getAtPath } from '../utils/objectPath.js';
 import { createEntry as createEntryOperation, createEntrySchema, createEntryVersion } from '../../core/server/entries/operations/create.js';
 import { getRawEntries as getRawEntriesOperation, countRawEntries as countRawEntriesOperation, getRawEntry as getRawEntryOperation, getRawEntryOrThrow, getDbEntry, getDbEntryOrThrow, getEntries as getEntriesOperation, getEntry as getEntryOperation, getEntryVersion as getEntryVersionOperation, getEntryLabels as getEntryLabelsOperation } from '../../core/server/entries/operations/get.js';
 import { getCMS } from '../../core/cms.js';
@@ -208,8 +209,7 @@ export const getRecentEntries = query(z.number().default(6), async (limit) => {
         const latestVersion = entry.versions[0];
         let label = null;
         if (config && config.type === 'collection' && config.entryAdminTitle && latestVersion) {
-            const titleData = latestVersion.data[config.entryAdminTitle];
-            // Data is flat — titleData is the string directly
+            const titleData = getAtPath(latestVersion.data, config.entryAdminTitle);
             if (typeof titleData === 'string') {
                 label = titleData || '';
             }
@@ -257,8 +257,7 @@ export const getRecentActivity = query(z.number().default(10), async (limit) =>
             const config = getCMS().getBySlug(entry.slug);
             let label = null;
             if (config && config.type === 'collection' && config.entryAdminTitle) {
-                const titleData = latestVersion.data[config.entryAdminTitle];
-                // Data is flat — titleData is the string directly
+                const titleData = getAtPath(latestVersion.data, config.entryAdminTitle);
                 if (typeof titleData === 'string') {
                     label = titleData || null;
                 }

package/dist/admin/state/content-language.svelte.d.ts

@@ -2,7 +2,6 @@ export declare const getContentLanguage: () => ContentLanguage, setContentLangua
 type _ContentLanguage = {
     all: string[];
     current: string;
-    referenceMode: boolean;
 };
 export declare class ContentLanguage {
     #private;
@@ -10,7 +9,5 @@ export declare class ContentLanguage {
     get all(): string[];
     get current(): _ContentLanguage["current"];
     set current(value: _ContentLanguage['current']);
-    get referenceMode(): boolean;
-    set referenceMode(value: boolean);
 }
 export {};

package/dist/admin/state/content-language.svelte.js

@@ -1,27 +1,23 @@
 import { createContext } from 'svelte';
+import { PersistedState } from 'runed';
 export const [getContentLanguage, setContentLanguage] = createContext();
 export class ContentLanguage {
     #all;
     #current;
-    #referenceMode;
     constructor(all, current) {
         this.#all = $state(all);
-        this.#current = $state(current);
-        this.#referenceMode = $state(false);
+        this.#current = new PersistedState('content-language', current);
+        if (!all.includes(this.#current.current)) {
+            this.#current.current = current;
+        }
     }
     get all() {
         return this.#all;
     }
     get current() {
-        return this.#current;
+        return this.#current.current;
     }
     set current(value) {
-        this.#current = value;
-    }
-    get referenceMode() {
-        return this.#referenceMode;
-    }
-    set referenceMode(value) {
-        this.#referenceMode = value;
+        this.#current.current = value;
     }
 }

package/dist/admin/utils/entryLabel.js

@@ -2,15 +2,14 @@ import { getAtPath } from './objectPath.js';
 export function getRawCollectionEntryLabel(entry, config, language) {
     const publishedVersion = entry.publishedVersions[language];
     if (publishedVersion) {
-        // Data is flat — entryAdminTitle value is directly a string
         return config.entryAdminTitle
-            ? String(publishedVersion.data[config.entryAdminTitle] || entry.id)
+            ? String(getAtPath(publishedVersion.data, config.entryAdminTitle) || entry.id)
             : entry.id;
     }
     const draftVersion = entry.draftVersions[language];
     if (draftVersion) {
         return config.entryAdminTitle
-            ? String(draftVersion.data[config.entryAdminTitle] || entry.id)
+            ? String(getAtPath(draftVersion.data, config.entryAdminTitle) || entry.id)
             : entry.id;
     }
     return entry.id;

package/dist/cms/runtime/api.d.ts

@@ -8,10 +8,15 @@ interface GetEntryOptions {
 interface GetEntriesOptions extends GetEntryOptions {
     ids?: string[];
     dataLike?: Record<string, unknown>;
+    dataILikeOr?: Record<string, unknown>;
     orderBy?: {
         column: 'createdAt' | 'updatedAt' | 'sortOrder';
         direction: 'asc' | 'desc';
     };
+    dataOrderBy?: {
+        field: string;
+        direction: 'asc' | 'desc';
+    };
     limit?: number;
     offset?: number;
 }