emdash-patch-imageupload/packages/core/CHANGELOG.md

emdash

0.9.0

Minor Changes

• #884 e2b3c6c Thanks @ascorbic! - Removes the worker-isolate manifest cache and stops loading the manifest on public requests.

  The admin manifest (collection schemas, plugins, taxonomies) is built fresh from the live database on every admin request via constant-shape queries (SchemaRegistry.listCollectionsWithFields() — one collection query plus one batched field query, chunked at the D1 bound-parameter limit; two queries in practice for typical sites), deduplicated within a single request by requestCached. Logged-out / public requests no longer touch it at all — the global middleware no longer pre-loads locals.emdashManifest. Admin routes that need it call await emdash.getManifest().

  This closes the cross-isolate staleness bug class behind #776, #873, #876, and #877 by elimination: there is no cache to invalidate, so there is nothing to fan out across warm sibling isolates on Cloudflare Workers, and there is nothing to leave stale after a fire-and-forget delete is cancelled at response-time.

  Breaking changes

  • locals.emdash.invalidateManifest is removed. The shim that survived earlier was a misnomer once the manifest cache itself was gone. Plugin code that called this after schema changes should switch to locals.emdash.invalidateUrlPatternCache (the only side effect that survived) — or drop the call entirely if the mutation didn't affect collection URL patterns (field/taxonomy/plugin mutations don't).
  • locals.emdashManifest is removed. Read it via await locals.emdash.getManifest() instead. The only in-tree consumers were the admin manifest endpoint and the WordPress importer routes, both updated.
  • EmDashRuntime.invalidateManifest() is removed. EmDashRuntime.getManifest() is preserved with the same signature; its body now skips the cache layer.

  Performance

  The admin manifest build is now O(1) query shapes (one for collections, one batched query for the fields of every returned collection, chunked at the D1 bound-parameter limit) instead of N+1. This is the cost the cache was hiding; the rebuild is cheap enough to run per request.

• #731 9dfc65c Thanks @drudge! - Adds a media_picker Block Kit element: a thumbnail preview with a modal library picker and mime-type filter. Usable in plugin block forms and in Block Kit field widgets. The stored value is the selected asset's URL string, so it is value-compatible with a plain text_input — existing content continues to work after swapping. The mime_type_filter is restricted to image MIME types (image/ or image/<subtype>); wildcards and non-image types are rejected.

• #809 e7df21f Thanks @ascorbic! - Adds an optional category field to PortableTextBlockConfig for plugin-contributed block types. Plugins can now choose how their blocks are grouped in the admin slash menu (e.g. "Sections", "Marketing", "Media", "Layout") instead of always falling under "Embeds". Existing plugins that omit the field continue to render under "Embeds" exactly as before.

• #890 8ae227c Thanks @ascorbic! - Adds publishedAt to content_publish (MCP and REST) and exposes seo, bylines, and publishedAt on the MCP content_update tool.

  content_publish now accepts an optional ISO 8601 publishedAt to backdate a publish, which is useful when migrating content from another CMS or correcting a historical publish date. The override requires the content:publish_any permission. Without it, the existing published_at is preserved on re-publish (idempotent) and falls back to the current time on first publish.

  The MCP content_update tool previously dropped seo, bylines, and publishedAt even though the underlying handler accepted them. Callers had to fall back to raw SQL against _emdash_seo and _emdash_content_bylines to set these fields. They now flow through the MCP tool and are persisted in the same transaction as field updates. Setting publishedAt requires content:publish_any, mirroring the REST PUT route. Closes #621 and #622.

• #800 e2d5d16 Thanks @csfalcao! - Adds support for accepting passkey assertions from multiple origins that share an rpId, for deployments reachable under several hostnames (apex + preview/staging) under one registrable parent. Declare additional origins via EmDashConfig.allowedOrigins (in astro.config.mjs) or the EMDASH_ALLOWED_ORIGINS env var (comma-separated); the two sources merge at runtime. EmDash validates the merged set against siteUrl and rejects dead config (non-subdomain entries, IP-literal siteUrl, trailing dots, empty labels) with source-attributed errors. PasskeyConfig.origin: string is replaced by PasskeyConfig.origins: string[].

• #837 e81aa0f Thanks @netogregorio! - Make the preview URL pattern locale-aware. getPreviewUrl() now accepts a {locale} placeholder and a locale option (empty string collapses adjacent slashes so default-locale entries on prefixDefaultLocale: false sites stay unprefixed). The POST /_emdash/api/content/{collection}/{id}/preview-url route resolves the locale automatically from the entry and the site's i18n config, and reads a project-wide default pattern from the new EMDASH_PREVIEW_PATH_PATTERN env var so the admin's "View on site" link can match locale-prefixed routes (e.g. /{locale}/{id}).

• #811 cee403d Thanks @ascorbic! - Adds a centralized secrets module and emdash secrets CLI command group. The preview HMAC secret and commenter-IP hash salt are now generated and persisted in the options table on first need, with EMDASH_PREVIEW_SECRET and EMDASH_IP_SALT as optional env overrides. This replaces the previous empty-string preview fallback (which silently disabled token verification) and the hardcoded "emdash-ip-salt" constant (which was correlatable across installs).

  Adds:

  • emdash secrets generate [--write <file> [--force]] — emits a fresh EMDASH_ENCRYPTION_KEY (versioned emdash_enc_v1_<43 chars> format), optionally writes it to .dev.vars or .env idempotently.
  • emdash secrets fingerprint <key> — prints the kid (8-char fingerprint) for a key without exposing its value.

  Lays groundwork for plugin-secret encryption-at-rest in a follow-up.

  Deprecates:

  • emdash auth secret — kept as a working alias that prints a stderr deprecation note. Will be removed in a future minor. EMDASH_AUTH_SECRET itself is now legacy: it's only consulted as a fallback IP-salt source for upgrade compatibility (so existing installs keep stable commenter-IP hashes). New installs don't need to set it.

  API changes:

  • fingerprintKey() (exported from emdash's config module) now validates its input and throws EmDashSecretsError for malformed or non-canonical keys, where it previously silently hashed any string. Callers that want the previous "fingerprint anything" behavior should hash the input themselves with crypto.subtle.digest.

  User-visible side effects on upgrade:

  • Installs that hadn't set EMDASH_PREVIEW_SECRET get a fresh random preview secret on first start, which invalidates any outstanding preview URLs (typically short-lived).
  • Installs that hadn't set EMDASH_AUTH_SECRET get a fresh random IP salt, resetting active comment rate-limit windows once.
  • Installs that did set EMDASH_AUTH_SECRET keep the same IP salt via a legacy fallback, so existing rate-limit data carries over.
  • If you sign preview URLs from a separate process without access to the EmDash database (e.g. a remote preview Worker), you must continue to set EMDASH_PREVIEW_SECRET in both processes. Processes that share the database converge on the same auto-generated value automatically; the env override is only needed when the verifying process can't read the options table.

• #816 d4be24f Thanks @ask-bonk! - Unifies plugin capability names under a single <resource>[.<sub-resource>]:<verb>[:<qualifier>] formula so capabilities read like RBAC permissions, separates hook-registration permissions from data-access ones for clearer audits, and replaces the overloaded :any qualifier with the more conspicuous :unrestricted. Old names are still accepted with @deprecated warnings; emdash plugin bundle and emdash plugin validate warn for each deprecated name and emdash plugin publish refuses manifests that still use them.

  The Cloudflare sandbox bridge and HTTP fetch helper now enforce canonical names (content:read, content:write, media:read, media:write, users:read, network:request, network:request:unrestricted). Manifests that still declare legacy names continue to work — the runner normalizes capabilities before passing them into the bridge, so installed plugins with read:content resolve to content:read and reach the same code path.

  Old	New
  read:content	content:read
  write:content	content:write
  read:media	media:read
  write:media	media:write
  read:users	users:read
  network:fetch	network:request
  network:fetch:any	network:request:unrestricted
  email:provide	hooks.email-transport:register
  email:intercept	hooks.email-events:register
  page:inject	hooks.page-fragments:register

  Existing installs keep working — manifests are normalized at every external boundary and diffCapabilities normalizes both sides so version upgrades that only rename do not trigger a "capability changed" prompt. Deprecated names will be removed in the next minor.

Patch Changes

• #858 e0dc6fb Thanks @ask-bonk! - Adds CSS custom-property hooks to portable-text block defaults in Image, Embed, Gallery, and Break so host sites can theme figcaptions and horizontal rules without overriding component CSS. Resolution order is --emdash-caption-color → --color-muted → #666 for captions, --emdash-break-color → --color-border → #e0e0e0 for the break line, and --emdash-break-dots-color → --color-muted → #999 for break dots. Backward compatible: sites that don't define any of these variables get the previous hex defaults; sites that already expose the conventional --color-muted / --color-border tokens (e.g. the blog template) now get correct dark-mode theming automatically.

• #838 c22fb3a Thanks @ascorbic! - Removes a redundant SELECT id, author_id lookup that fired after every collection-list and entry fetch when computing the byline-fallback for entries without explicit credits. The column is already on the row data, so it is now read directly. Saves up to one round-trip per list query and two on post-detail routes (~30 fewer queries across the perf-fixture suite).

• #805 6a4e9b8 Thanks @ascorbic! - Fixes data loss in the visual-editing inline editor for plugin-contributed Portable Text block types. Previously, custom blocks like marketing.hero lost every field except id when the page was opened in edit mode, and the next save persisted the loss. Blocks now round-trip losslessly and render as a read-only placeholder labelled with the block type.

• #702 0ee372a Thanks @ilicfilip! - Adds @emdash-cms/plugin-field-kit — composable field widgets for json fields. Four widgets (object-form, list, grid, tags) are configured entirely through seed options so site builders don't need to write React to get a usable editing UI. Widgets store clean JSON (no nesting, no mutation of shape), so removing the plugin leaves valid data in the database. See discussion #571 for background.

  Widens FieldDescriptor.options to Array<{ value: string; label: string }> | Record<string, unknown> so plugin widgets can accept arbitrary widget config (not only enum choices). The array shape for select / multiSelect continues to work unchanged.

• #861 22a16ee Thanks @ask-bonk! - Fixes "Cannot find module 'kysely'" at runtime after astro build followed by astro preview or node dist/server/entry.mjs on Node deployments using SQLite or libSQL (#741). The SQLite and libSQL dialect runtime modules used CJS require("kysely") and require("better-sqlite3"), ostensibly to defer loading at config time — though in practice these modules are only ever loaded at runtime via virtual:emdash/dialect, so the deferral served no purpose. Vite preserved those literal require() calls in the bundled SSR chunks; under pnpm's strict node_modules layout, Node's CJS resolver could not find kysely (a transitive dep of emdash) from the user's dist/server/chunks/ directory. The dialect modules now use static imports — matching the existing db/postgres.ts adapter — so Vite resolves the deps correctly at build time.

• #847 1e2b024 Thanks @ascorbic! - Fixes site favicon injection so user-configured favicons render on the public site, including SVG favicons in Chromium browsers (#831). EmDashHead now emits a <link rel="icon"> tag with the correct type attribute (e.g. image/svg+xml) sourced from the stored media's MIME type. The bundled templates and demos have been updated to drop their per-template favicon link in favour of the centralized injection; existing user sites that still emit their own <link rel="icon"> continue to work because browsers tolerate the duplicate.

  MediaReference now carries url, contentType, width, and height when resolved via resolveMediaReference, so callers can emit correct head tags without a second round-trip to the media table.

• #851 81662e9 Thanks @ask-bonk! - Fixes admin branding (logo, siteName, favicon) configured via the integration's admin option not being delivered to the React admin SPA. The /_emdash/api/manifest route now reads admin branding from the per-request config plumbed through middleware (the same source admin.astro already used), instead of a build-time global that was never assigned.

• #857 2f22f57 Thanks @ask-bonk! - Fixes a migration race on D1 where two concurrent Workers isolates could both try to apply the same migration, causing one to fail with UNIQUE constraint failed: _emdash_migrations.name. The losing isolate would throw before reaching auto-seed, leaving the manifest cache empty and the admin UI reporting collections as not found while the API reported them correctly. runMigrations now treats this specific error as benign, waits for the concurrent migrator to finish, and verifies the schema is fully migrated before returning success. Closes #762.

• #856 ef3f076 Thanks @ask-bonk! - Fixes npm install peer dependency conflicts (#819) by removing @tanstack/react-query and @tanstack/react-router from peerDependencies. These libraries are internal implementation details of the bundled admin UI (@emdash-cms/admin) and consuming Astro apps don't import them directly. Listing them as peers of emdash was forcing every npm-based install to install and resolve them at the top level, which produced ERESOLVE errors and bloat. The admin package continues to declare them as its own runtime dependencies.

• #817 a9c29ea Thanks @all3f0r1! - Fixes redirect middleware so 301/302 rules from _emdash_redirects actually fire for unauthenticated visitors. Previously, the lookup was silently skipped on the public-visitor branch because locals.emdash.db is intentionally omitted there — only logged-in admins, edit-mode sessions and preview tokens ever saw redirects (so WordPress migration 301s, manual rewrites and Auto: slug change rows did nothing for real traffic, and hits / _emdash_404_log stayed at zero). The middleware now falls back to getDb() (ALS-aware) when locals.emdash.db is absent. Resolves #808.

• #874 d5f7c48 Thanks @ask-bonk! - Fixes EmDashRuntime.invalidateManifest() leaving the persisted manifest cache row stale on Cloudflare Workers. The D1 row delete was a fire-and-forget promise — on Workers, unawaited work is cancelled when the isolate is torn down post-response, so options.emdash:manifest_cache was almost never actually wiped after a schema mutation. Cold-starting isolates downstream then adopted the pre-mutation snapshot and served Collection '<slug>' not found until something else cleared the row. The delete now goes through after(), which hands it to ctx.waitUntil under workerd. (#873)

• #839 0d98c62 Thanks @ascorbic! - Caches the site:* settings prefix-scan across requests within a worker isolate. Site settings change rarely; reading them once per route was wasted work. Writes via setSiteSettings() invalidate the cache so other isolates pick up changes within their lifetime.

• #840 64bf5b9 Thanks @ascorbic! - Reduces duplicate queries on pages that render multiple taxonomy or "recent posts" widgets. getTaxonomyDef(name) now reuses the full taxonomy-defs list when it has already been loaded in the same request, and getEmDashCollection buckets small limits so a post-detail page asking for 4 posts in the body and 5 in a sidebar widget shares one fetch instead of two. Cuts ~6 queries from the perf-fixture post-detail render.

• #803 0041d76 Thanks @mvanhorn! - Fixes migrations 034 and 035 so they can safely re-run when a previous attempt left the schema partially applied without recording it in _emdash_migrations. Resolves the "index already exists" error reported on upgrade from 0.1.1 to 0.6.0+.

• #869 a8bac5d Thanks @ask-bonk! - Fixes autosave validation errors on content seeded from the blog, portfolio, and starter templates (issue #867).

  Two related issues:

  • _key was strictly required on Portable Text blocks by the generated Zod schema, but the rest of the block schema is .passthrough() and the editor regenerates _key on every change, so requiring it on input rejected legitimate seed/import data without protecting any real invariant. _key is now optional in the validator.
  • The portfolio template shipped featured_image as bare URL strings. image fields validate as { id, ... } objects, so any user who edited a different field on a portfolio entry hit featured_image: expected object, received string. The portfolio seeds now use $media references in the same shape as the blog template, and every shipped template seed has stable _keys on its Portable Text nodes.

  A regression test runs every shipped template seed through the same validator the autosave endpoint uses, so future template changes that break this invariant fail before release.

• #882 5b6f059 Thanks @ascorbic! - Fixes the seed virtual module to also look at the conventional seed/seed.json path when no .emdash/seed.json or package.json#emdash.seed pointer is configured. Without this fallback, a site that only had seed/seed.json would silently fall through to the built-in default seed -- the setup wizard would not offer demo content, and the wrong schema would be applied. The loader now warns when it falls through to the default seed so misconfiguration is loud during dev.

• #855 a86ff80 Thanks @ask-bonk! - Fixes Astro session lookups firing on every anonymous public SSR request (#733). The middleware now skips context.session.get("user") when no astro-session cookie is present, which on Cloudflare Workers (where the Astro session backend is KV) was turning normal anonymous traffic into a flood of KV read misses. Logged-in editors, admin routes, edit/preview flows, and any request that actually carries the session cookie continue to read the session as before.

• #853 eb6dbd0 Thanks @drudge! - Fixes content saves on collections with boolean fields. Boolean fields map to INTEGER columns and the repository writes booleans as 0/1, but never converts them back on read, so a GET → edit → POST round-trip surfaced numbers where the per-collection zod schema expected booleans, and every save was rejected. The boolean field schema now coerces the 0/1 shape to real booleans at the validation boundary; other numbers and strings still fail validation as before.

• Updated dependencies [9dfc65c, d6754ae, 0ee372a, ef3f076, 8d0feb3, 8354088, 254a443, 25128b2, e7df21f, ab45916, 0913a39, e2d5d16, a838000, ddbf808, 1c958fb, 491aeec, d4be24f]:

  • @emdash-cms/admin@0.9.0
  • @emdash-cms/auth@0.9.0
  • @emdash-cms/auth-atproto@0.2.1
  • @emdash-cms/gutenberg-to-portable-text@0.9.0

0.8.0

Minor Changes

• #679 493e317 Thanks @drudge! - Adds a repeater Block Kit element: array-of-objects with scalar sub-fields, drag-to-reorder, and collapsible item cards. Plugin block forms can now capture repeating data (FAQ rows, carousel slides, card grids) inline in the portable-text editor.

• #779 e402890 Thanks @ascorbic! - Adds settings_get and settings_update MCP tools so agents can read and update site-wide settings (title, tagline, logo, favicon, URL, posts-per-page, date format, timezone, social, SEO). settings_get resolves media references (logo/favicon/seo.defaultOgImage) to URLs; settings_update is a partial update that preserves omitted fields. New settings:read (EDITOR+) and settings:manage (ADMIN) API token scopes back the tools, with matching options in the personal API token settings UI.

• #777 3eca9d5 Thanks @ascorbic! - Behavior change — MCP taxonomy_list_terms now uses an opaque base64 keyset cursor over (label, id) instead of the previous raw term-id cursor. The new cursor is robust to concurrent term deletion: it encodes a position in sort space rather than a reference to a specific row. MCP clients that persisted page cursors across this upgrade should drop them and restart pagination — pre-upgrade cursors will return INVALID_CURSOR.

  Adds parent-chain validation to taxonomy_create_term (previously only taxonomy_update_term validated): rejects non-existent parents, cross-taxonomy parents, self-parent on update, cycles on update, and parent chains exceeding 100 ancestors. Existing taxonomies with chains over the depth limit continue to function but cannot accept new descendants until the chain is shortened.

• #675 b6cb2e6 Thanks @eyupcanakman! - Renders local media through storage publicUrl when configured. EmDashImage and the Portable Text image block now call a new locals.emdash.getPublicMediaUrl() helper, so R2 and S3 deployments with a custom domain serve images from that domain. S3Storage.getPublicUrl now returns the /_emdash/api/media/file/{key} path when no publicUrl is set (previously {endpoint}/{bucket}/{key}).

• #398 31333dc Thanks @simnaut! - Adds pluggable auth provider system with AT Protocol as the first plugin-based provider. Refactors GitHub and Google OAuth from hardcoded buttons into the same AuthProviderDescriptor interface. All auth methods (passkey, AT Protocol, GitHub, Google) are equal options on the login page and setup wizard.

Patch Changes

• #777 3eca9d5 Thanks @ascorbic! - Fixes MCP ownership checks failing with an internal error on content that has no authorId (seed-imported rows). Admins and editors can now edit, publish, unpublish, schedule, and restore such items; users with only own-content permissions get a clean permission error.

• #777 3eca9d5 Thanks @ascorbic! - Fixes content create / update silently accepting invalid data: required fields are now enforced, select / multiSelect values must match the configured options, and reference fields must resolve to a real, non-trashed target. Errors surface with a structured VALIDATION_ERROR code and a message naming every offending field.

• #670 37ada52 Thanks @segmentationfaulter! - Change text direction of input fields and tiptap editor depending upon the language entered

• #688 0557b62 Thanks @corwinperdomo! - Fixes the Settings > Email admin page so active email:beforeSend / email:afterSend middleware plugins are listed (previously always empty). Adds HookPipeline.getHookProviders() for enumerating non-exclusive hook providers.

• #673 5a581d9 Thanks @mvanhorn! - Fixes WordPress media import to emit relative /_emdash/api/media/file/... URLs instead of absolute ones, matching every other media endpoint. Imported media is now recognized by INTERNAL_MEDIA_PREFIX for enrichment, and no longer pins URLs to the origin that happened to serve the import request (breaking renders on a different port or behind a reverse proxy).

• #750 0ecd3b4 Thanks @edrpls! - Make the admin collection list column headers sortable. Title, Status, Locale, and Date are now clickable buttons that toggle direction; the current sort state is exposed via aria-sort on the <th> so screen readers announce it correctly.

  The server's orderBy field whitelist now accepts status, locale, and name alongside the existing date fields — unchanged from a security standpoint, the repo still rejects unknown field names to prevent column enumeration.

  Callers of <ContentList> that don't pass onSortChange render the previous static-label headers, so legacy integrations (e.g. the content picker) are unaffected.

• 3138432 Thanks @r2sake! - Fixes hydration of the inline PortableText editor on pnpm projects by aliasing use-sync-external-store/shim to the main use-sync-external-store package. The shim is a CJS-only React<18 polyfill imported transitively by @tiptap/react; under pnpm's virtual store Vite cannot pre-bundle it, and the browser receives raw module.exports which fails to load as ESM (SyntaxError: ... does not provide an export named 'useSyncExternalStore'). The aliases redirect to React's built-in useSyncExternalStore (peer-dep floor is React 18), so users no longer need to add the workaround themselves in astro.config.mjs.

• #755 70924cd Thanks @mvanhorn! - Fixes the WordPress importer so collections created mid-import are visible to the subsequent execute phase.

  POST /_emdash/api/import/wordpress/prepare now calls emdash.invalidateManifest() when it creates new collections or fields. Without this, the DB-persisted manifest cache (emdash:manifest_cache in the options table) stays stale and the execute request reports Collection "<slug>" does not exist for every item destined for a freshly created collection — a bug that survived dev-server restarts and required manually deleting the cache row.

• #757 1f0f6f2 Thanks @ascorbic! - Removes two redundant in-scope database queries from the FTS verify-and-repair path. The inner block re-fetched searchable fields and search config that were already loaded in the outer scope of the same method. No behavior change.

• #777 3eca9d5 Thanks @ascorbic! - Fixes paginated list endpoints silently returning the first page when given a malformed cursor. Bad cursors now produce a structured INVALID_CURSOR error so client pagination bugs surface immediately.

  Note for plugin authors: the low-level decodeCursor export from emdash/database/repositories now throws InvalidCursorError on invalid input instead of returning null. Direct callers (rare — most code uses findMany-style helpers that handle this internally) should wrap the call in try/catch or migrate to the higher-level helpers.

• #777 3eca9d5 Thanks @ascorbic! - Fixes schema_create_collection MCP tool to apply its documented default of ['drafts', 'revisions'] for supports when omitted.

• #189 f5658f0 Thanks @Sayeem3051! - Add url and email plugin setting field types (Issue #175)

• #777 3eca9d5 Thanks @ascorbic! - Preserves structured error codes through MCP tool responses. Errors returned by MCP tools now include a stable [CODE] prefix in the message text and a _meta.code field on the response envelope, so MCP clients can distinguish failure modes (e.g. NOT_FOUND, CONFLICT, VALIDATION_ERROR) instead of seeing only a generic message.

• #777 3eca9d5 Thanks @ascorbic! - Fixes revision_restore for collections that support revisions: restore now creates a new draft revision from the source revision's data and updates draft_revision_id, leaving the live columns untouched. Previously, restore overwrote the live row directly and left any pending draft unchanged, opposite to the documented contract ("Replaces the current draft..."). The response is also hydrated so the returned data reflects the post-restore state.

  Behavior is unchanged for collections that do not support revisions.

• #734 cf1edae Thanks @huckabarry! - Preserve clearer error logging and run sandboxed after() content hook tasks in parallel when deferred plugin hooks execute after save and publish.

• #794 b352e88 Thanks @ascorbic! - Sanitises the snippet field returned by the search() API so it is safe to render with set:html / innerHTML. Previously SQLite's FTS5 snippet() function spliced literal <mark> tags around matched terms but left the surrounding text unescaped, meaning a post title like Hello <script>alert(1)</script> would render as live markup. Templates and components rendering snippets directly were exposed; the in-tree LiveSearch component already worked around this client-side. Snippets now contain only HTML-escaped source text plus literal <mark>...</mark> highlight tags, matching the documented contract.

• #183 da3d065 Thanks @masonjames! - Fixes Astro dev to use the built admin package for external app installs while keeping source aliasing for local monorepo development.

• #777 3eca9d5 Thanks @ascorbic! - Tightens conflict-error matchers in handleContentCreate and handleContentUpdate. Both paths now match specifically on "unique constraint failed" or "duplicate key" (avoiding false positives where the word "unique" appears in unrelated error text), and produce sanitized SLUG_CONFLICT / CONFLICT messages so raw database error text — including Postgres-internal index names — no longer leaks to API consumers. Clients that pattern-match the previous unsanitized messages will see normalized text instead.

• #777 3eca9d5 Thanks @ascorbic! - Fixes taxonomy_list exposing collection slugs for collections that no longer exist. Orphaned slugs are filtered out so the response stays consistent with schema_list_collections.

• #777 3eca9d5 Thanks @ascorbic! - Fixes content_unpublish so that publishedAt is cleared when an item is unpublished.

• #608 47978b5 Thanks @drudge! - Fixes /_emdash/api/widget-areas/* endpoints returning raw DB rows (snake_case fields, content as a JSON string) instead of the transformed Widget shape. Admin UI expects content to already be a parsed PortableText array and componentId/componentProps/menuName in camelCase, so expanding a content widget in /_emdash/admin/widgets produced an empty editor. All four route handlers (GET /widget-areas, GET /widget-areas/:name, POST /widget-areas/:name/widgets, PUT /widget-areas/:name/widgets/:id) now run their results through rowToWidget, which was made module-exported.

• #777 3eca9d5 Thanks @ascorbic! - Adds taxonomies:manage and menus:manage API token scopes for fine-grained control over taxonomy and menu mutations via MCP and REST. Existing tokens with content:write continue to work for those operations: content:write now implicitly grants menus:manage and taxonomies:manage so PATs issued before the split keep their effective permissions. The reverse implication does not hold — a token with only menus:manage cannot create or edit content.

• Updated dependencies [86b26f6, 493e317, e998083, 37ada52, acab807, 0ecd3b4, 4c9f04d, e402890, ed4d880, 31333dc, 3eca9d5]:

  • @emdash-cms/admin@1.0.0
  • @emdash-cms/auth@1.0.0
  • @emdash-cms/auth-atproto@1.0.0
  • @emdash-cms/gutenberg-to-portable-text@1.0.0

0.7.0

Minor Changes

• #705 8ebdf1a Thanks @eba8! - Adds admin white-labeling support via admin config in astro.config.mjs. Agencies can set a custom logo, site name, and favicon for the admin panel, separate from public site settings.

• #742 c26442b Thanks @ascorbic! - Adds trustedProxyHeaders config option so self-hosted deployments behind a reverse proxy can declare which client-IP headers to trust. Used by auth rate limits (magic-link, signup, passkey, OAuth device flow) and the public comment endpoint — without it, every request on a non-Cloudflare deployment was treated as "unknown" and rate limits were effectively disabled.

  Set the option in astro.config.mjs:

  emdash({
  	trustedProxyHeaders: ["x-real-ip"], // nginx, Caddy, Traefik
  });
  

  or via the EMDASH_TRUSTED_PROXY_HEADERS env var (comma-separated). Headers are tried in order; values ending in forwarded-for are parsed as comma-separated lists.

  Also removes the user-agent-hash fallback on the comment endpoint. The fallback was meant to give anonymous commenters on non-Cloudflare deployments something approximating per-user rate limiting, but the UA is trivially rotatable; requests with no trusted IP now share a stricter "unknown" bucket. Operators behind a reverse proxy should set trustedProxyHeaders to restore per-IP bucketing.

  Only set trustedProxyHeaders when you control the reverse proxy. Trusting a forwarded-IP header from the open internet lets any client spoof their IP and defeats rate limiting.

Patch Changes

• #745 7186961 Thanks @ascorbic! - Fixes an unauthenticated denial-of-service via the 404 log. Every 404 response previously inserted a new row into _emdash_404_log, so an attacker could grow the database without bound by requesting unique nonexistent URLs. Repeat hits to the same path now dedup into a single row with a hits counter and last_seen_at timestamp, referrer and user-agent headers are truncated to bounded lengths, and the log is capped at 10,000 rows with oldest-first eviction.

• #739 e9ecec2 Thanks @MohamedH1998! - Fixes the REST content API silently stripping publishedAt on create/update and createdAt on create. Importers can now preserve original publish and creation dates on migrated content. Gated behind content:publish_any (EDITOR+) so regular contributors cannot backdate posts. createdAt is intentionally not accepted on update — created_at is treated as immutable.

• #732 e3e18aa Thanks @jcheese1! - Fixes select dropdown appearing behind dialog by removing explicit z-index values and adding isolate to the admin body for proper stacking context.

• #695 fae63bd Thanks @ascorbic! - Fixes emdash seed so entries declared with "status": "published" are actually published. Previously the seed wrote the content row with status: "published" and a published_at timestamp but never created a live revision, so the admin UI showed "Save & Publish" instead of "Unpublish" and live_revision_id stayed null. The seed now promotes published entries to a live revision on both create and update paths.

• #744 30d8fe0 Thanks @ascorbic! - Fixes a setup-window admin hijack by binding /setup/admin and /setup/admin/verify to a per-session nonce cookie. Previously an unauthenticated attacker who could reach a site during first-time setup could POST to /setup/admin between the legitimate admin's email submission and passkey verification, overwriting the stored email — the admin account would then be created with the attacker's address. The admin route now mints a cryptographically random nonce, stores it in setup state, and sets it as an HttpOnly, SameSite=Strict, /_emdash/-scoped cookie; the verify route rejects any request whose cookie does not match in constant time.

• #685 d4a95bf Thanks @ascorbic! - Fixes visual editing: clicking an editable field now opens the inline editor instead of always opening the admin in a new tab. The toolbar's manifest fetch was reading manifest.collections directly but the /_emdash/api/manifest endpoint wraps its payload in { data: … }, so every field-kind lookup returned null and every click fell through to the admin-new-tab fallback.

• #743 a31db7d Thanks @ascorbic! - Locks emdash:site_url after the first setup call so a spoofed Host header on a later step of the wizard can't overwrite it. Config (siteUrl) and env (EMDASH_SITE_URL) paths already took precedence; this is a defence-in-depth guard for deployments that rely on the request-origin fallback.

• #737 adb118c Thanks @ascorbic! - Rate-limits the self-signup request endpoint to prevent abuse. POST /_emdash/api/auth/signup/request now allows 3 requests per 5 minutes per IP, matching the existing limit on magic-link/send. Over-limit requests return the same generic success response as allowed-but-ignored requests, so the limit isn't observable to callers.

• #738 080a4f1 Thanks @ascorbic! - Strengthens SSRF protection on the import pipeline against DNS-rebinding. The validateExternalUrl helper now also blocks known wildcard DNS services (nip.io, sslip.io, xip.io, traefik.me, lvh.me, localtest.me) and trailing-dot FQDN forms of blocked hostnames. A new resolveAndValidateExternalUrl resolves the target hostname via DNS-over-HTTPS (Cloudflare) and rejects if any returned IP is in a private range. ssrfSafeFetch and the plugin unrestricted-fetch path now use the DNS-aware validator on every hop. This adds two DoH round-trips per outbound request; self-hosted admins whose egress blocks cloudflare-dns.com can inject a custom resolver via setDefaultDnsResolver.

• #736 81fe93b Thanks @ascorbic! - Restricts Subscriber-role access to draft, scheduled, and trashed content. Subscribers retain content:read for member-only published content but no longer see non-published items via the REST API or MCP server. Adds a new content:read_drafts permission (Contributor and above) that gates /compare, /revisions, /trash, /preview-url, and the corresponding MCP tools.

• Updated dependencies [8ebdf1a, 2e4b205, e3e18aa, 743b080, fa8d753, 81fe93b]:

  • @emdash-cms/admin@0.7.0
  • @emdash-cms/auth@0.7.0
  • @emdash-cms/gutenberg-to-portable-text@0.7.0

0.6.0

Minor Changes

• #626 1859347 Thanks @ascorbic! - Adds eager hydration of taxonomy terms on getEmDashCollection and getEmDashEntry results. Each entry now exposes a data.terms field keyed by taxonomy name (e.g. post.data.terms.tag, post.data.terms.category), populated via a single batched JOIN query alongside byline hydration. Templates that previously looped and called getEntryTerms(collection, id, taxonomy) per entry can read entry.data.terms directly and skip the N+1 round-trip.

  New exports: getAllTermsForEntries, invalidateTermCache.

  Reserved field slugs now also block terms, bylines, and byline at schema-creation time to prevent new fields shadowing the hydrated values. Existing installs that already have a user-defined field with any of those slugs will see the hydrated value overwrite the stored value on read (consistent with the pre-existing behavior of bylines / byline hydration); rename the field to keep its data accessible.

• #600 9295cc1 Thanks @ascorbic! - Adds Noto Sans as the default admin UI font via the Astro Font API. Fonts are downloaded from Google at build time and self-hosted. The base font covers Latin, Cyrillic, Greek, Devanagari, and Vietnamese. Additional scripts (Arabic, CJK, Hebrew, Thai, etc.) can be added via the new fonts.scripts config option. Set fonts: false to disable and use system fonts.

Patch Changes

• #648 ada4ac7 Thanks @CacheMeOwside! - Adds the missing url field type for seed files, content type builder, and content editor with client-side URL validation.

• #658 f279320 Thanks @ascorbic! - Adds after(fn) — a helper for deferring bookkeeping work past the HTTP response. On Cloudflare it hands off to waitUntil (extending the worker's lifetime); on Node it fire-and-forgets (the event loop keeps the process alive for the next request anyway). Host binding is plumbed through a new virtual:emdash/wait-until virtual module so core stays runtime-neutral — Cloudflare-specific imports live in the integration layer, not in request-handling code.

  First use: cron stale-lock recovery (_emdash_cron_tasks UPDATE) now runs after the response ships instead of blocking it. On D1 this shaves a primary-routed write off the cold-start critical path.

  Usage:

  import { after } from "emdash";
  
  // Fire-and-forget; errors are caught and logged so a deferred task
  // never surfaces as an unhandled rejection.
  after(async () => {
  	await recordAuditEntry();
  });
  

• #642 7f75193 Thanks @Pouf5! - Adds maxUploadSize config option to set the maximum media file upload size in bytes. Defaults to 52_428_800 (50 MB) — existing behaviour is unchanged.

• #595 cfd01f3 Thanks @ascorbic! - Fixes playground initialization crash caused by syncSearchState attempting first-time FTS enablement during field creation.

• #663 38d637b Thanks @ascorbic! - Cache getSiteSetting(key) per-request. It was firing an uncached options table read on every call, so templates that pull several settings (or EmDashHead reading seo on every page render) paid N round-trips to the D1 primary instead of sharing one. Noticeable on colos far from the primary — APS/APE were seeing ~30–100 ms of avoidable warm-render latency per page.

  Wraps each key in requestCached("siteSetting:${key}", ...) so concurrent callers in a single render share the in-flight query.

• #631 31d2f4e Thanks @ascorbic! - Improves cold-start performance for anonymous page requests. Sites with D1 replicas far from the worker colo should see the biggest improvement; on the blog-demo the homepage cold request on Asia colos dropped from several seconds to under a second.

  Three underlying changes:

  • Search index health checks run on demand (on the first search request) rather than at worker boot, reclaiming the time a boot-time scan spent walking every searchable collection.
  • Module-scoped caches (manifest, taxonomy names, byline existence, taxonomy-assignment existence) are now reused across anonymous requests that route through D1 read replicas. They previously rebuilt on every request.
  • Cold-start Server-Timing headers break runtime init into sub-phases (rt.db, rt.plugins, etc.) so further regressions are easier to diagnose.

• #605 445b3bf Thanks @ascorbic! - Fixes D1 read replicas being bypassed for anonymous public page traffic. The middleware fast path now asks the database adapter for a per-request scoped Kysely, so anonymous reads land on the nearest replica instead of the primary-pinned singleton binding.

  All D1-specific semantics (Sessions API, constraint selection, bookmark cookie) live in @emdash-cms/cloudflare/db/d1 behind a single createRequestScopedDb(opts) function. Core middleware has no D1-specific logic. Adapters opt in via a new supportsRequestScope: boolean flag on DatabaseDescriptor; d1() sets it to true.

  Other fixes in the same change:

  • Nested runWithContext calls in the request-context middleware now merge the parent context instead of replacing it, so an outer per-request db override is preserved through edit/preview flows.
  • Baseline security headers now forward Astro's cookie symbol across the response clone so cookies.set() calls in middleware survive.
  • Any write (authenticated or anonymous) now forces first-primary, so an anonymous form/comment POST isn't racing across replicas.
  • The session user is read once per request and reused in both the fast path and the full runtime init (previously read twice on authenticated public-page traffic).
  • Bookmark cookies are validated only for length (≤1024) and absence of control characters — no stricter shape check, so a future D1 bookmark format change won't silently degrade consistency.
  • The !config bail-out now still applies baseline security headers.
  • __ec_d1_bookmark references aligned to __em_d1_bookmark across runtime, docs, and JSDoc.

• #654 943d540 Thanks @ascorbic! - Dedups repeat DB queries within a single page render. Measured against the query-count fixture:

  • The "has any bylines / has any taxonomy terms" probes were module-scoped singletons, but the bundler duplicates those modules across chunks — each chunk ended up with its own copy of the singleton, so the probe re-ran whenever a different chunk called the helper. Stored on globalThis with a Symbol key (same pattern as request-context.ts), so a single value is shared across all chunks now.
  • Wraps getCollectionInfo, getTaxonomyDef, getTaxonomyTerms, and getEmDashCollection in the request-scoped cache so two callers with the same arguments in the same render share a single query.

  Biggest wins land on pages that render multiple content-heavy components (a post detail page with comments, byline credits, and sidebar widgets). On the fixture post page: -3 queries cold / -1 warm under SQLite, -2 queries cold under D1.

• #668 2cb3165 Thanks @CacheMeOwside! - Fixes boolean field checkbox displaying as unchecked after publish in the admin UI.

• #500 14c923b Thanks @all3f0r1! - Adds inline term creation in the post editor taxonomy sidebar. Tags show a "Create" option when no match exists; categories get an "Add new" button below the list.

• #606 c5ef0f5 Thanks @ascorbic! - Caches the manifest in memory and in the database to eliminate N+1 schema queries per request. Batches site info queries during initialization. Cold starts read 1 cached row instead of rebuilding from scratch.

• #671 f839381 Thanks @jcheese1! - Fixes MCP OAuth discovery and dynamic client registration so EmDash only advertises supported client registration mechanisms and rejects unsupported redirect URIs or token endpoint auth methods during client registration. Also exempts OAuth protocol endpoints (token, register, device code, device token) from the Origin-based CSRF check, since these endpoints are called cross-origin by design (MCP clients, CLIs, native apps) and carry no ambient credentials, and sends the required CORS headers so browser-based MCP clients can reach them.

• #664 002d0ac Thanks @ascorbic! - getSiteSetting(key) now transparently piggybacks on getSiteSettings() when the batch has already been loaded in the current request. If a parent template has called getSiteSettings() (which is request-cached), a later getSiteSetting("seo") — from EmDashHead, a plugin, or user code — reads the key from that cached result instead of firing its own round-trip. Falls back to a per-key cached query when nothing has been primed.

  Exposes peekRequestCache(key) for internal use by other helpers that want the same "read from a broader cached query if available" pattern.

  On the blog-demo fixture: the SEO call added in PR #613 now costs zero extra queries per page (it reads from the Base layout's existing getSiteSettings() result).

• #465 0a61ef4 Thanks @Pouf5! - Fixes FTS5 tables not being created when a searchable collection is created or updated via the Admin UI.

• #636 6d41fe1 Thanks @ascorbic! - Fixes two correctness issues from the #631 cold-start work:

  • ensureSearchHealthy() now runs against the runtime's singleton database instead of the per-request session-bound one. The verify step reads, but a corrupted index triggers a rebuild write, and D1 Sessions on a GET request uses first-unconstrained routing that's free to land on a replica. The singleton goes through the default binding, which the adapter correctly promotes to first-primary for writes.
  • The playground request-context middleware now sets dbIsIsolated: true. Without it, schema-derived caches (manifest, taxonomy defs, byline/term existence probes) could carry values across playground sessions that have independent schemas.

• #627 b158e40 Thanks @ascorbic! - Prime the request-scoped cache for getEntryTerms during collection and entry hydration. getEmDashCollection and getEmDashEntry already fetch taxonomy terms for their results via a single batched JOIN; now the same data is seeded into the per-request cache under the same keys getEntryTerms uses, so existing templates that still call getEntryTerms(collection, id, taxonomy) in a loop get cache hits instead of a serial DB round-trip per iteration.

  Empty-result entries are seeded with [] for every taxonomy that applies to the collection so "this post has no tags" also short-circuits without a query. Cache entries are scoped to the request context via ALS and GC'd with it.

• #653 f97d6ab Thanks @ascorbic! - Adds opt-in query instrumentation for performance regression testing. Setting EMDASH_QUERY_LOG=1 causes the Kysely log hook to emit [emdash-query-log]-prefixed NDJSON on stdout for every DB query executed inside a request, tagged with the route, method, and an X-Perf-Phase header value. Zero runtime overhead when the flag is unset — the log option is only attached to Kysely when enabled.

  Also exposes the helpers at emdash/database/instrumentation so first-party adapters (e.g. @emdash-cms/cloudflare) can wire the same hook into their per-request Kysely instances.

• #613 e67b940 Thanks @nickgraynews! - Fixes site SEO settings googleVerification and bingVerification not being emitted into <head>. The fields were stored in the database and editable in the admin UI but were never rendered as <meta name="google-site-verification"> or <meta name="msvalidate.01"> tags, making meta-tag verification with Google Search Console and Bing Webmaster Tools impossible. EmDashHead now loads site SEO settings and renders these tags on every page.

• #659 0896ec8 Thanks @ascorbic! - Two query-count reductions on the request hot path:

  • Widget areas now fetch in a single query. getWidgetArea(name) used to do two round-trips — one for the area, one for its widgets. Single left-join now. Saves one query per <WidgetArea> rendered on a page.
  • Dropped the "has any bylines / has any term assignments" probes. Those fired on every hydration call to save a single query on sites with zero bylines/terms — exactly the wrong tradeoff. The batch hydration queries already handle empty sites at the same cost, so the probes are removed. Pre-migration databases (tables not created yet) are still handled via an isMissingTableError catch. Saves two queries per render on pages that hydrate bylines and taxonomy terms.

  On the fixture post-detail page: SQLite /posts/[slug] drops from 34 → 32, D1 from 43 → 39. The widget-area JOIN shaves one off every page that renders a widget area.

  invalidateBylineCache() and invalidateTermCache() are preserved as no-op exports so callers don't break.

• #558 629fe1d Thanks @csfalcao! - Fixes /_emdash/api/search/suggest 500 error. getSuggestions no longer double-appends the FTS5 prefix operator * on top of the one escapeQuery already adds, so autocomplete queries like ?q=des now return results instead of raising SqliteError: fts5: syntax error near "*".

• #552 f52154d Thanks @masonjames! - Fixes passkey login failures so unregistered or invalid credentials return an authentication failure instead of an internal server error.

• #601 8221c2a Thanks @CacheMeOwside! - Fixes the Save Changes button on the Content Type editor failing silently with a 400 error

• #598 8fb93eb Thanks @maikunari! - Fixes WordPress import error reporting to surface the real exception message instead of a generic "Failed to import item" string, making import failures diagnosable.

• #629 6d7f288 Thanks @CacheMeOwside! - Adds toast feedback when taxonomy assignments are saved or fail on content items.

• #638 4ffa141 Thanks @auggernaut! - Fixes repeated FTS startup rebuilds on SQLite by verifying indexed row counts against the FTS shadow table.

• #582 04e6cca Thanks @all3f0r1! - Improves the "Failed to create database" error to detect NODE_MODULE_VERSION mismatches from better-sqlite3 and surface an actionable message telling the user to rebuild the native module.

• Updated dependencies [dfcb0cd, cf63b02, 0b32b2f, 913cb62, 6c92d58, a2d5afb, 39d285e, f52154d]:

  • @emdash-cms/admin@0.6.0
  • @emdash-cms/auth@0.6.0
  • @emdash-cms/gutenberg-to-portable-text@0.6.0

0.5.0

Minor Changes

• #540 82c6345 Thanks @jdevalk! - Adds where: { status?, locale? } to ContentListOptions, letting plugins narrow ContentAccess.list() results at the database layer instead of filtering the returned array. The underlying repository already supports these filters — this PR only exposes them through the plugin-facing type.

• #551 598026c Thanks @ophirbucai! - Adds RTL (right-to-left) language support infrastructure. Enables proper text direction for RTL languages like Arabic, Hebrew, Farsi, and Urdu. Includes LocaleDirectionProvider component that syncs HTML dir/lang attributes with Kumo's DirectionProvider for automatic layout mirroring when locale changes.

Patch Changes

• #542 64f90d1 Thanks @mohamedmostafa58! - Fixes invite flow: corrects invite URL to point to admin UI page, adds InviteAcceptPage for passkey registration.

• #555 197bc1b Thanks @ascorbic! - Fixes OAuth authorization server metadata discovery for MCP clients by serving it at the RFC 8414-compliant path.

• #534 ce873f8 Thanks @ttmx! - Fixes Table block to render inline marks (bold, italic, code, links, etc.) through the Portable Text pipeline instead of stripping them to plain text. Links are sanitized via sanitizeHref(). Table styles now use CSS custom properties with fallbacks.

• Updated dependencies [9ea4cf7, 64f90d1, 598026c]:

  • @emdash-cms/admin@0.5.0
  • @emdash-cms/auth@0.5.0
  • @emdash-cms/gutenberg-to-portable-text@0.5.0

0.4.0

Minor Changes

• #539 8ed7969 Thanks @jdevalk! - Adds locale to the ContentItem type returned by the plugin content access API. Follow-up to #536 — plugins that build i18n URLs from content records need the locale to pick the right URL prefix, otherwise multilingual content is emitted at default-locale URLs.

• #523 5d9120e Thanks @jdevalk! - Add nlweb to the allowed rel values for page:metadata link contributions, letting plugins inject <link rel="nlweb" href="..."> tags for agent/conversational endpoint discovery.

• #536 9318c56 Thanks @ttmx! - Adds slug, status, and publishedAt to the ContentItem type returned by the plugin content access API. Exports ContentPublishStateChangeEvent type. Fires afterDelete hooks on permanent content deletion.

• #519 5c0776d Thanks @ascorbic! - Enables the MCP server endpoint by default. The endpoint at /_emdash/api/mcp requires bearer token auth, so it has no effect unless a client is configured. Set mcp: false to disable.

  Fixes MCP server crash ("exports is not defined") on Cloudflare in dev mode by pre-bundling the MCP SDK's CJS dependencies for workerd.

Patch Changes

• #515 5beddc3 Thanks @ascorbic! - Reduces logged-out page load queries by caching byline existence, URL patterns, and redirect rules at worker level with proper invalidation.

• #512 f866c9c Thanks @mahesh-projects! - Fixes save/publish race condition in visual editor toolbar. When a user blurred a field and immediately clicked Publish, the in-flight save PUT could arrive at the server after the publish POST, causing the stale revision to be promoted silently. Introduces pendingSavePromise so publish() chains onto the pending save rather than firing immediately.

• #537 1acf174 Thanks @Glacier-Luo! - Fixes plugin bundle resolving dist path before source, which caused build failures and potential workspace-wide source file destruction.

• #538 678cc8c Thanks @Glacier-Luo! - Fixes revision pruning crash on PostgreSQL by replacing column alias in HAVING clause with the aggregate expression.

• #509 d56f6c1 Thanks @mvanhorn! - Fixes TypeError when setting baseline security headers on Cloudflare responses with immutable headers.

• #495 2a7c68a Thanks @ascorbic! - Fixes atomicity gaps: content update _rev check, menu reorder, byline delete, and seed content creation now run inside transactions.

• #497 6492ea2 Thanks @ascorbic! - Fixes migration 011 rollback, plugin media upload returning wrong ID, MCP taxonomy tools bypassing validation, and FTS query escaping logic.

• #517 b382357 Thanks @ascorbic! - Improves plugin safety: hooks log dependency cycles, timeouts clear timers, routes don't leak error internals, one-shot cron tasks retry with exponential backoff (max 5), marketplace downloads validate redirect targets.

• #532 1b743ac Thanks @ascorbic! - Fixes cold-start query explosion (159 -> ~25 queries) by short-circuiting migrations when all are applied, fixing FTS triggers to exclude soft-deleted content, and preventing false-positive FTS index rebuilds on every startup.

• Updated dependencies [3a96aa7, c869df2, 10ebfe1, 275a21c, af0647c, b89e7f3, 20b03b4, ba0a5af, e2f96aa, 4645103]:

  • @emdash-cms/admin@0.4.0
  • @emdash-cms/auth@0.4.0
  • @emdash-cms/gutenberg-to-portable-text@0.4.0

0.3.0

Minor Changes

• #457 f2b3973 Thanks @UpperM! - Adds runtime resolution of S3 storage config from S3_* environment variables (S3_ENDPOINT, S3_BUCKET, S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY, S3_REGION, S3_PUBLIC_URL). Any field omitted from s3({...}) is read from the matching env var on Node at runtime, so container images can be built once and receive credentials at boot without a rebuild. Explicit values in s3({...}) still take precedence.

  s3() with no arguments is now valid for fully env-driven deployments. accessKeyId and secretAccessKey are now optional in S3StorageConfig (both or neither). Workers users should continue passing explicit values to s3({...}).

Patch Changes

• #492 13f5ff5 Thanks @UpperM! - Fixes manifest version being hardcoded to "0.1.0". The version and git commit SHA are now injected at build time via tsdown/Vite define, reading from package.json and git rev-parse.

• #494 a283954 Thanks @ascorbic! - Adds defensive identifier validation to all SQL interpolation points to prevent injection via dynamic identifiers.

• #351 c70f66f Thanks @CacheMeOwside! - Fixes redirect loops causing the ERR_TOO_MANY_REDIRECTS error, by detecting circular chains when creating or editing redirects on the admin Redirects page.

• #499 0b4e61b Thanks @ascorbic! - Fixes admin failing to load when installed from npm due to broken locale catalog resolution.

• Updated dependencies [c70f66f, 0b4e61b]:

  • @emdash-cms/admin@0.3.0
  • @emdash-cms/auth@0.3.0
  • @emdash-cms/gutenberg-to-portable-text@0.3.0

0.2.0

Minor Changes

• #367 8f44ec2 Thanks @ttmx! - Adds content:afterPublish and content:afterUnpublish plugin hooks, fired after content is published or unpublished. Both are fire-and-forget notifications requiring read:content capability, supporting trusted and sandboxed plugins.

• #431 7ee7d95 Thanks @jdevalk! - Per-collection sitemaps with sitemap index and lastmod

  /sitemap.xml now serves a <sitemapindex> with one child sitemap per SEO-enabled collection. Each collection's sitemap is at /sitemap-{collection}.xml with <lastmod> on both index entries and individual URLs. Uses the collection's url_pattern for correct URL building.

• #414 4d4ac53 Thanks @jdevalk! - Adds breadcrumbs?: BreadcrumbItem[] to PublicPageContext so themes can publish a breadcrumb trail as part of the page context, and SEO plugins (or any other page:metadata consumer) can read it without having to invent their own per-theme override mechanism. BreadcrumbItem is also exported from the emdash package root. The field is optional and non-breaking — existing themes and plugins work unchanged, and consumers can adopt it incrementally. Empty array (breadcrumbs: []) is an explicit opt-out signal (e.g. for homepages); undefined means "no opinion, fall back to consumer's own derivation".

• #111 87b0439 Thanks @mvanhorn! - Adds repeater field type for structured repeating data

• #382 befaeec Thanks @UpperM! - Adds siteUrl config option to fix reverse-proxy origin mismatch. Replaces passkeyPublicOrigin with a single setting that covers all origin-dependent features: passkeys, CSRF, OAuth, auth redirects, MCP discovery, snapshots, sitemap, robots.txt, and JSON-LD.

  Supports EMDASH_SITE_URL / SITE_URL environment variables for container deployments where the domain is only known at runtime.

  Disables Astro's security.checkOrigin (EmDash's own CSRF layer handles origin validation with dual-origin support and runtime siteUrl resolution). When siteUrl is set in config, also sets security.allowedDomains so Astro.url reflects the public origin in templates.

  Breaking: passkeyPublicOrigin is removed. Rename to siteUrl in your astro.config.mjs.

Patch Changes

• #182 156ba73 Thanks @masonjames! - Fixes media routes so storage keys with slashes resolve correctly.

• #422 80a895b Thanks @baezor! - Fixes SEO hydration exceeding D1 SQL variable limit on large collections by chunking the content_id IN (...) clause in SeoRepository.getMany.

• #94 da957ce Thanks @eyupcanakman! - Reject dangerous URL schemes in menu custom links

• #223 fcd8b7b Thanks @baezor! - Fixes byline hydration exceeding D1 SQL variable limit on large collections by chunking IN clauses.

• #479 8ac15a4 Thanks @ascorbic! - Enforces permission checks on content status transitions, media provider endpoints, and translation group creation.

• #250 ba2b020 Thanks @JULJERYT! - Optimize dashboard stats (3x fewer db queries)

• #340 0b108cf Thanks @mvanhorn! - Passes emailPipeline to plugin route handler context so plugins with email:send capability can send email from route handlers.

• #148 1989e8b Thanks @masonjames! - Adds public plugin settings helpers.

• #352 e190324 Thanks @barckcode! - Allows external HTTPS images in the admin UI by adding https: to the img-src CSP directive. Fixes external content images (e.g. from migration or external hosting) being blocked in the content editor.

• #72 724191c Thanks @travisbreaks! - Fix CLI login against remote Cloudflare-deployed instances by unwrapping API response envelope and adding admin scope

• #480 ed28089 Thanks @ascorbic! - Fixes admin demotion guard, OAuth consent flow, device flow token exchange, preview token scoping, and revision cleanup on permanent delete.

• #247 a293708 Thanks @NaeemHaque! - Fixes email settings page showing empty by registering the missing API route. Adds error state to the admin UI so fetch failures are visible instead of silently swallowed.

• #324 c75cc5b Thanks @barckcode! - Fixes admin editor crash when image blocks lack the asset wrapper. Image blocks with url at the top level (e.g. from CMS migrations) now render correctly instead of throwing TypeError: Cannot read properties of undefined (reading 'url').

• #353 6ebb797 Thanks @ilicfilip! - fix(core): pass field.options through to admin manifest for plugin field widgets

• #209 d421ee2 Thanks @JonahFoster! - Fixes base OG, Twitter, and article JSON-LD titles so they can use a page-specific title without including the site name suffix from the document title.

• #394 391caf4 Thanks @datienzalopez! - Fixes plugin:activate and plugin:deactivate hooks not being called when enabling or disabling a plugin via the admin UI or setPluginStatus. Previously, setPluginStatus rebuilt the hook pipeline but never invoked the lifecycle hooks. Now plugin:activate fires after the pipeline is rebuilt with the plugin included, and plugin:deactivate fires on the current pipeline before the plugin is removed.

• #357 6474dae Thanks @Vallhalen! - Fix: default adminPages and dashboardWidgets to empty arrays in manifest to prevent admin UI crash when plugins omit these properties.

• #453 30c9a96 Thanks @all3f0r1! - Fixes ctx.content.create() and ctx.content.update() so plugins can write to the core SEO panel. When the input data contains a reserved seo key, it is now extracted and routed to _emdash_seo via the SEO repository, matching the REST API shape. ctx.content.get() and ctx.content.list() also hydrate the seo field on returned items for SEO-enabled collections.

• #326 122c236 Thanks @barckcode! - Fixes WXR import not preserving original post dates or publish status. Uses wp:post_date_gmt (UTC) with fallback chain to pubDate (RFC 2822) then wp:post_date (site-local). Handles the WordPress 0000-00-00 00:00:00 sentinel for unpublished drafts. Sets published_at for published posts. Applies to both WXR file upload and plugin-based import paths.

• #371 5320321 Thanks @pejmanjohn! - Fix MCP OAuth discovery for unauthenticated POST requests.

• #338 b712ae3 Thanks @mvanhorn! - Fixes standalone wildcard "" in plugin allowedHosts so plugins declaring allowedHosts: [""] can make outbound HTTP requests to any host.

• #434 9cb5a28 Thanks @hayatosc! - Avoid accessing sessions on prerendered public routes.

• #119 e1014ef Thanks @blmyr! - Fix plugin page:metadata and page:fragments hooks not firing for anonymous public page visitors. The middleware's early-return fast-path for unauthenticated requests now initializes the runtime (skipping only the manifest query), so plugin contributions render via <EmDashHead>, <EmDashBodyStart>, and <EmDashBodyEnd> for all visitors. Also adds collectPageMetadata and collectPageFragments to the EmDashHandlers interface.

• #424 476cb3a Thanks @csfalcao! - Fixes public access to the search API (#104). The auth middleware blocked /_emdash/api/search before the handler ran, so #107's handler-level change never took effect for anonymous callers. Adds the endpoint to PUBLIC_API_EXACT so the shipped LiveSearch component works on public sites without credentials. Admin endpoints (/search/enable, /search/rebuild, /search/stats, /search/suggest) remain authenticated.

• #333 dd708b1 Thanks @mvanhorn! - Adds composite index on (deleted_at, published_at DESC, id DESC) to eliminate full table scans for frontend listing queries that order by published_at.

• #448 c92e7e6 Thanks @grexe! - fixes logo and favicon site settings not being applied to templates

• #319 2ba1f1f Thanks @ideepakchauhan7! - Fixes i18n config returning null in Vite dev SSR by reading from virtual module instead of dynamic import.

• #251 a13c4ec Thanks @yohaann196! - fix: expose client_id in device flow discovery response

• #93 a5e0603 Thanks @eyupcanakman! - Fix taxonomy links missing from admin sidebar

• Updated dependencies [0966223, 53dec88, 3b6b75b, a293708, 1a93d51, c9bf640, 87b0439, 5eeab91, e3f7db8, a5e0603]:

  • @emdash-cms/admin@0.2.0
  • @emdash-cms/auth@0.2.0
  • @emdash-cms/gutenberg-to-portable-text@0.2.0

0.1.1

Patch Changes

• #200 422018a Thanks @ascorbic! - Replace placeholder text branding with proper EmDash logo SVGs across admin UI, playground loading page, and preview interstitial

• #206 4221ba4 Thanks @tsikatawill! - Fixes multiSelect custom fields rendering as plain text inputs instead of a checkbox group.

• #133 9269759 Thanks @kyjus25! - Fix auth links and OAuth callbacks to use /_emdash/api/auth/... so emailed sign-in, signup, and invite URLs resolve correctly in EmDash.

• #365 d6cfc43 Thanks @ascorbic! - Fixes migration 033 failing with "index already exists" on databases where the schema registry had already created composite indexes on content tables.

• #313 1bcfc50 Thanks @mvanhorn! - Remove FTS5 integrity-check from startup verification to prevent D1 shadow table corruption

• #262 8c693b5 Thanks @BenjaminPrice! - Fix media upload OOM on Cloudflare Workers for large images by generating blurhash from client-provided thumbnails instead of decoding full-resolution images server-side

• #330 5b3e33c Thanks @MattieTK! - Fixes migration 033 (optimize content indexes) not being registered in the static migration runner, so the composite and partial indexes it defines are now actually applied on startup.

• #181 9d10d27 Thanks @ilicfilip! - fix(admin): use collection urlPattern for preview button fallback URL

• #363 91e31fb Thanks @ascorbic! - Fixes sandboxed plugin entries failing when package exports point to unbuilt TypeScript source. Adds build-time and bundle-time validation to catch misconfigured plugin exports early.

• #298 f112ac4 Thanks @BenjaminPrice! - Fixes install telemetry using an unstable hash that inflated install counts. Uses the site's request origin as a stable hash seed for accurate per-site deduplication. Denormalizes install_count on the marketplace plugins table for query performance.

• #214 e9a6f7a Thanks @SARAMALI15792! - Optimizes D1 database indexes to eliminate full table scans in admin panel. Adds composite indexes on ec_* content tables for common query patterns (deleted_at + updated_at/created_at + id) and rewrites comment counting to use partial indexes. Reduces D1 row reads by 90%+ for dashboard operations.

• #107 b297fdd Thanks @mvanhorn! - Allows public access to search API for frontend LiveSearch

• #225 d211452 Thanks @seslly! - Adds passkeyPublicOrigin on emdash() so WebAuthn origin and rpId match the browser when dev sits behind a TLS-terminating reverse proxy. Validates the value at integration load time and threads it through all passkey-related API routes.

  Updates the admin passkey setup and login flows to detect non-secure origins and explain that passkeys need HTTPS or http://localhost rather than implying the browser lacks WebAuthn support.

• #105 8e28cfc Thanks @ascorbic! - Fix CLI --json flag so JSON output is clean. Previously, consola.success() and other log messages leaked into stdout alongside the JSON data, making it unparseable by scripts. Log messages now go to stderr when --json is set.

• #83 38af118 Thanks @antoineVIVIES! - Sanitize WordPress post type slugs during import. Fixes crashes when importing sites using plugins (Elementor, WooCommerce, ACF, etc.) that register post types with hyphens, uppercase letters, or other characters invalid in EmDash collection slugs. Reserved collection slugs are prefixed with wp_ to avoid conflicts.

• Updated dependencies [12d73ff, 422018a, 9269759, 71744fb, 018be7f, 9d10d27, d211452, ab21f29, bfcda12, 5f448d1]:

  • @emdash-cms/admin@0.1.1
  • @emdash-cms/auth@0.1.1

0.1.0

Minor Changes

• #14 755b501 Thanks @ascorbic! - First beta release

Patch Changes

• Updated dependencies [755b501]:
  • @emdash-cms/admin@0.1.0
  • @emdash-cms/auth@0.1.0
  • @emdash-cms/gutenberg-to-portable-text@0.1.0

0.0.3

Patch Changes

• #8 3c319ed Thanks @ascorbic! - Fix crash on fresh deployments when the first request hits a public page before setup has run. The middleware now detects an empty database and redirects to the setup wizard instead of letting template helpers query missing tables.

• Updated dependencies [3c319ed]:

  • @emdash-cms/admin@0.0.2

0.0.2

Patch Changes

• #2 b09bfd5 Thanks @ascorbic! - Fix virtual module resolution errors when emdash is installed from npm on Cloudflare. The esbuild dependency pre-bundler was encountering virtual:emdash/* imports while crawling dist files and failing to resolve them. These are now excluded from the optimizeDeps scan.