* implement safe url validation for redirects
added validation for safe redirect urls to prevent xss attacks
* add changeset: fix dom xss in form redirects
(marked as patch version bump for @emdash-cms/plugin-forms)
---------
Co-authored-by: Matt Kane <mkane@cloudflare.com>
* fix(x402): add tsdown config to build middleware entry point
* adds optimizeDeps.exclude and ssr.optimizeDeps.exclude for @emdash-cms/x402 in the integration's Vite config
* fix CI typecheck
---------
Co-authored-by: Matt Kane <mkane@cloudflare.com>
* perf(db): optimize D1 indexes to eliminate full table scans
- Add composite indexes to ec_* tables for common query patterns
- Replace single-column indexes with (deleted_at, updated_at, id) composite
- Add (deleted_at, status) index for count queries
- Add (deleted_at, created_at, id) index for chronological ordering
- Optimize comment counting with partial indexes per status
- Rewrite countByStatus() to use parallel WHERE queries instead of GROUP BY
Fixes#131
* chore: add changeset for D1 index optimization
* style: wrap changeset description for formatting compliance
Replace placeholder text branding ("— EmDash") with actual logo SVGs
from the brand assets. Adds Logo.tsx with LogoIcon (icon mark) and
LogoLockup (icon + wordmark) components.
- Sidebar: gradient icon mark replaces em dash text character
- Login, Signup, Setup: full lockup SVG with currentColor wordmark
- Welcome modal: logo icon replaces Sparkle placeholder
- Favicon: real gradient icon SVG replaces emoji
* fix(tests): remove explicit beforeAll timeouts that override global hookTimeout
Integration tests passed 60s timeouts to beforeAll, overriding the
120s hookTimeout in vitest.smoke.config.ts. On CI the dev server
startup can consume the full 60s, leaving no time for setup + seeding.
Also bumps createTestServer's default waitForServer timeout from 60s
to 90s, leaving 30s margin within the 120s hook budget.
* fix(tests): don't remove shared node_modules symlink during cleanup
Multiple integration test suites run concurrently and share the
fixture/node_modules symlink. When the suite that created it finishes
first, its cleanup deletes the symlink, causing other suites to fail
with MODULE_NOT_FOUND when their server process tries to resolve astro.
The symlink is gitignored so it's safe to leave in place.
- Fix playground-toolbar test: URL changed to github.com but test still expected docs.emdashcms.com
- create-emdash: extract selectTemplate() to eliminate unsafe/unnecessary type assertions
- create-emdash: use type-safe Object.keys filter instead of bare cast
- cloudflare/cache: use Reflect.get with typeof guard instead of double type assertion
- x402/enforcer: replace unsafe request cast with Reflect.get type guards for CF bot management
- x402/middleware: suppress unavoidable virtual module any-cast with eslint comment
On a fresh CF deployment, if the first request hits a public page, the
middleware fast-path skips runtime init. Template helpers like
getSiteSettings() then query an empty database and crash with
'no such table: options'.
Add a one-time setup probe in the middleware fast-path: check if the
migrations table exists, and redirect to the setup wizard if not.
The check is cached for the worker lifetime after first success.
Also includes release workflow update to use GitHub App token and
admin branding changeset.
