272 KiB
emdash
0.29.0
Minor Changes
-
#1535
0360900Thanks @MA2153! - Adds an HTTP API for content references: relation-definition CRUD under/_emdash/api/relations(editor-readable, admin-writable) and directed reference edges on content entries under/_emdash/api/content/:collection/:id/references/:relation/{children,parents}(ownership-aware). References are stored only in the references table — no collection column. The edge reads are cursor-paginated (?cursor/?limit, default 50, max 100) and returnnextCursor; each resolved entry carries thelocaleof the variant returned. -
#1874
1526f96Thanks @Vallhalen! - MCPcontent_createandcontent_updatenow accept ataxonomiesfield ({ [taxonomyName]: [termSlug, ...] }) that assigns taxonomy terms in the same transaction as the content write. Term slugs are resolved in the entry's locale via the same code path as the/terms/{taxonomy}REST route, so the two entry points can't drift. Also exposed on the RESTPOSTandPUTcontent endpoints for parity. Fixes #953. -
#1719
7c5de08Thanks @swissky! - Adds ataxonomies:readplugin capability with read-only taxonomy access: plugins that declare it getctx.taxonomiesto list taxonomy definitions (getAll()), fetch the terms of a taxonomy (getTerms()), and read the terms assigned to a content entry (getEntryTerms()) — in-process and in both sandbox runners. -
#1578
58f594bThanks @marcusbellamyshaw-cell! - Implements pagination forsearch()andsearchCollection()search()advertised keyset pagination through its types (options.cursor,SearchResponse.nextCursor) but never read the cursor or returned one, so results were silently capped atlimitwith no way to load a second page.Both
search()andsearchCollection()now honourcursorand return anextCursorwhenever more matches exist. Pass the previousnextCursorback ascursorto walk subsequent pages; it becomesundefinedon the last page. The/_emdash/api/searchendpoint accepts acursorquery parameter and returnsnextCursorin its response (a malformed cursor returns a 400INVALID_CURSOR).let cursor: string | undefined; do { const { items, nextCursor } = await search("quarterly report", { limit: 20, cursor, }); render(items); cursor = nextCursor; } while (cursor); -
#1867
c57b12bThanks @khoinguyenpham04! - Adds an admin REST endpoint andEmDashClient.mediaRepairUsage()client method for repairing content media usage indexes by collection or across all collections. -
#1886
60811c0Thanks @swissky! - Adds atoolbarconfig option for reliable editor-toolbar delivery behind shared caches.toolbar: "client"keeps public HTML identical for every visitor and shows a client-side "Edit" pill for logged-in editors that opens a fresh, uncached editor render via an_editquery param;toolbar: falsedisables the toolbar entirely. The toolbar can now also be dismissed in the browser via its × button. The default ("server") is unchanged.
Patch Changes
-
#1865
582ea2cThanks @khoinguyenpham04! - Fixes the admin dashboard scheduled-content summary so it counts entries with pending schedules instead of inferring the count from other statuses. -
#1857
77e8968Thanks @swissky! - Speeds up the admin content-list search on collections with full-text search enabled: the filter is now served from the FTS5 index (token-prefix matching plus slug-prefix lookup) instead of scanning every row. Collections without search enabled, and PostgreSQL databases, keep the previous substring matching. -
#1905
e12f393Thanks @swissky! - Fixes multi-paragraph blockquotes splitting into separate quotes: consecutive quote paragraphs now render as a single blockquote on the site and load as one quote block in the editor, so merging them no longer reverts on reload. -
#1854
e4e76f5Thanks @swissky! - Fixes comment submissions bypassing Turnstile: when theEMDASH_TURNSTILE_SECRET_KEY(orTURNSTILE_SECRET_KEY) environment variable is set, the public comment endpoint now verifies the submitted Turnstile token server-side and rejects submissions without a valid one. Sites without a configured secret key are unaffected. -
#1550
cbc7d6bThanks @marcusbellamyshaw-cell! - Fixes search across all collections failing withD1_ERROR: no such column: c.titlewhen any search-enabled collection has notitlefield (#1178).titleis an optional field, not a guaranteed column, so callingsearch(or the MCPsearchtool) without acollectionsfilter could error instead of searching everything. Cross-collection search now works regardless of which collections define a title; results from a collection without one simply omit the title, and autocomplete suggestions skip such collections rather than erroring. -
#1907
15f4057Thanks @swissky! - Adds hreflang alternate links to the page head for translated content.<EmDashHead>now emits a<link rel="alternate" hreflang="...">per published translation (plusx-default) automatically, and a newgetHreflangAlternates()helper resolves the same set for hand-rolled heads. -
#1875
b116525Thanks @ascorbic! - Fixes a database stampede on Postgres when a pending migration fails at runtime: requests no longer pile up waiting on the migration lock, failed migrations are retried with a backoff instead of on every request, and failed attempts no longer leak idle database connections. -
#1855
450ea81Thanks @swissky! - Fixes preview and editor-toolbar responses being stored in the shared edge cache when route caching is enabled: requests with a_previewtoken and toolbar-injected editor pages now opt out of the route cache, so draft content is no longer served from the cache without token verification and toolbar markup no longer leaks to anonymous visitors. -
#1892
9c0733fThanks @ascorbic! - Fixes taxonomy term counts (Categories/Tags widgets, term pages, and the admin term list) so they only include content that is publicly visible: published or scheduled-and-due entries that have not been trashed. Counts are now also scoped to the taxonomy's declared collections. -
Updated dependencies [
582ea2c,582ea2c,d2f5ddc,d237e96,9792226,7c5de08,60811c0]:- @emdash-cms/admin@0.29.0
- @emdash-cms/plugin-types@0.2.0
- @emdash-cms/registry-client@0.3.3
- @emdash-cms/auth@0.29.0
- @emdash-cms/gutenberg-to-portable-text@0.29.0
0.28.1
Patch Changes
-
#1850
b92807fThanks @khoinguyenpham04! - Fixes internal media usage repair so partial draft failures, concurrent content deletes, and fresher usage writes keep repair coverage non-complete without discarding valid indexed usage. -
#1863
9e4701eThanks @swissky! - Fixes a privilege escalation on private plugin API routes: an editor (or a cross-origin page) could invoke admin-only, state-changing plugin routes by sending them asGETorHEADinstead ofPOST, which bypassed the permission tier and CSRF check. Every private plugin route now requiresplugins:manageand the CSRF header regardless of HTTP method. -
Updated dependencies []:
0.28.0
Minor Changes
-
#1849
b36d15cThanks @swissky! - Fixes "Worker exceeded resource limits" when importing large WordPress sites on Cloudflare. The plugin import now runs as a sequence of small requests — content pages, then comments, then menus and site identity — with a live progress bar instead of an indefinite spinner, and media files upload in bounded batches. An interrupted import can safely be re-run: already-imported content is skipped and the import fast-forwards to where it stopped. -
#1830
15b4d2dThanks @swissky! - Improves WordPress plugin imports: taxonomy terms and assignments (custom post type taxonomies are created as EmDash taxonomies automatically, scoped to the collections they map to), Yoast/Rank Math SEO titles and descriptions, ACF and custom meta fields (suggested as collection fields during analysis and populated on import), navigation menus, and comments (with authors, dates, threading, and approval status) are now imported. Site identity — title, tagline, logo, and favicon — is taken over from the WordPress site, replacing the starter template's placeholders. Internal links in imported content are rewritten to root-relative URLs so they stay on the new site instead of pointing back to the old WordPress domain. Fetches the full media library instead of the first 500 files, supports sites with plain permalinks via a?rest_route=fallback, and the import screen accepts a migration key generated by the EmDash Exporter plugin wizard.
Patch Changes
-
#1741
1866fa3Thanks @swissky! - SetsCache-Control: private, no-storeon the admin shell response so shared caches never store the admin HTML. Without an explicit header, caches that apply RFC 9111 heuristic freshness (for example Cloudflare's Workers Cache) could store an authenticated 200 and replay it to anonymous visitors instead of the login redirect. -
#1738
a3ec23dThanks @marcusbellamyshaw-cell! - Fixes admin media uploads to S3-compatible storage (R2, S3, Minio, etc.) being blocked by the Content-Security-Policy when the storage endpoint is a different origin than the site. The signed upload URL's origin is now allowed inconnect-src. -
#1726
cdca719Thanks @MA2153! - Fixes slow collection-list pages on SQLite/D1: folded taxonomy-term hydration now drives its subquery from the content–taxonomy pivot instead of scanning every term in the locale per row, so list pages no longer read tens of thousands of rows on sites with large taxonomies. -
#1837
ee5bfe6Thanks @ascorbic! - Updates EmDash image rendering to use Astro's responsive image component for local media with known dimensions while preserving provider images and placeholder behavior. -
#1746
a9e9ddeThanks @khoinguyenpham04! - Adds the internal media usage index foundation for upcoming usage-aware media workflows. This creates the usage index schema during migrations but does not change Media Library behavior yet. -
#1746
a9e9ddeThanks @khoinguyenpham04! - Adds internal media usage index hardening for future reference tracking. -
#1846
7d16d95Thanks @khoinguyenpham04! - Adds internal media usage repair foundations for future usage-aware media workflows. -
#1810
dd05063Thanks @masonjames! - Fixes menu items added via the admin content picker from a custom collection linking to the collection archive (/projects/) instead of the selected entry (/projects/widget-co). Entry references now resolve like page and post items, includingurlPatternsupport and per-locale resolution; items whose referenced entry no longer exists are hidden instead of pointing at the archive. Archive links (collection items without an entry reference) are unchanged. -
#1822
e2dd273Thanks @swissky! - Fixes object-cache reads hanging indefinitely after a request was cancelled mid-read. A namespace epoch read started by a request that disconnects (for example a bot aborting on a 404) could leave a never-settling shared promise behind, wedging every later read of that namespace until the isolate was recycled. Waiting requests now bound the shared read with their own timer, dead reads are reclaimed after a deadline, and in-flight reads survive the originating request's cancellation where the platform allows. -
#1732
92fd412Thanks @ascorbic! - Fixes the plugin registration example in theemdash()options JSDoc: plugins are registered as default-export descriptors (plugins: [auditLog]), not viaauditLogPlugin()-style factory calls, which have never existed. -
#1729
932f4baThanks @MA2153! - Speeds up taxonomy term lookups on SQLite/D1 by adding a compositetaxonomies(name, locale)index. Previously the query planner scanned every term in a locale to resolve a single taxonomy, so pages rendering several facets paid a full-locale scan per facet on sites with large taxonomies. A forward-only migration adds the index and drops the now-redundant single-column name index. -
Updated dependencies [
c1e2c3e,b36d15c,99b8a33,b6ba0d7,fd8ff27,15b4d2d]:
0.27.0
Minor Changes
-
#1707
e4eab4fThanks @swissky! - Brands the admin with the site's own title when no build-timeadmin.siteNameis configured. The admin sidebar previously always showed "EmDash", so operators running several EmDash backends couldn't tell them apart at a glance. The manifest now falls back to the Site Title (Settings → General, then the title captured during setup), WordPress-style. An explicitadmin.siteNamestill wins, and sites with neither keep the "EmDash" default. -
#1711
386faf5Thanks @ascorbic! - Excluding sample content when seeding (emdash seed --no-content, or unchecking "Include sample content" in the setup wizard) now also skips the seed's sample bylines and taxonomy terms, so a schema-only setup starts with no sample data at all. Taxonomy definitions, collections, menus, and other structure are still applied. The dev-only setup bypass endpoint accepts?content=0to do the same.
Patch Changes
-
#1284
7422460Thanks @eyupcanakman! - Fixes statically-sandboxed plugins (registered viasandboxed: []inastro.config.mjs) being absent from the admin Plugins screen. They are now listed alongside trusted and marketplace plugins, and can be fetched, enabled, and disabled through the same plugin management API. -
#1387
46ef945Thanks @auggernaut! - Adds LiveSearch route templates and search page navigation options. -
#1388
cff8498Thanks @auggernaut! - Fixes public LiveSearch autocomplete requests being blocked by auth middleware. -
#1708
dea8210Thanks @swissky! - Fixes slug-change 301 auto-redirects not being created for published entries in revision-supporting collections. Editing a published entry's slug in the admin stages the change as_sluginside a draft revision; on "Publish",ContentRepository.publish()synced the new slug straight into the content table — bypassinghandleContentUpdate, the only place auto-redirects were created. Since collections support drafts + revisions by default, the advertised "Auto: slug change" redirect effectively never fired for the standard editing flow, silently breaking old URLs. Publishing now leaves a 301 from the old URL behind whenever an already-published entry's slug changes. First publishes are excluded (a draft's URL was never public), and direct API slug updates behave as before. -
#1702
90ffe40Thanks @MA2153! - Restores theidx_content_taxonomies_termindex on SQLite/D1 installs that lost it when migration 036 was retried after a partial apply, so taxonomy reverse-lookups are indexed again. The index is now recreated unconditionally during 036 to prevent the same loss on any future partial apply. -
#1710
2a7063aThanks @ascorbic! - Fixes MCP tools and content writes failing in Cloudflare dev servers withThe file does not exist at ".../deps_ssr/..."after Vite re-optimizes dependencies, which previously required a dev server restart. Also pre-bundles the migration runner, image transform endpoint, andastro/zodso the first setup, image, or content request no longer triggers a mid-session re-optimization and worker reload. -
Updated dependencies [
8a93e1d]:
0.26.0
Minor Changes
-
#1659
facdcfcThanks @ttmx! - Adds content scheduling hooks for plugins to react when entries are scheduled or unscheduled. -
#1695
5dea403Thanks @ascorbic! - Updates EmDashHead JSON-LD rendering for Astro CSP compatibility.Sites using
<EmDashHead />do not need to change anything. JSON-LD structured data is still rendered automatically, but EmDash now registers the generated script hashes with Astro's CSP runtime API so strict CSP can allow them.This also adds
renderPageMetadata(metadata, { includeJsonLd: false })for advanced integrations that render metadata manually and want to handle JSON-LD script tags themselves. The default remains unchanged: callingrenderPageMetadata(metadata)still includes JSON-LD script tags in the returned HTML string.
Patch Changes
-
#1661
f44a277Thanks @greymoth-jp! - The editor footer now counts CJK (Chinese, Japanese, Korean) characters in its word count and reading-time estimate. Because these scripts have no spaces between words, the footer previously counted a whole paragraph as a single word and showed "1 min read" for long CJK drafts, even though the published page reported the correct reading time. The footer now matches the published reading time for CJK content; English and other space-delimited text is unchanged. -
#1561
971c627Thanks @marcusbellamyshaw-cell! - Fixes datetime fields becoming unsavable through the admin editor (#1368). Adatetime-localinput (or a seed) produces a naive value such as2026-06-04T18:30:00with noZsuffix or timezone offset, which the field validator rejected — and because the editor re-sends every field on autosave, an entry holding such a value could no longer be saved. Datetime fields now accept naive values (with or without seconds), values with aZsuffix or an explicit offset, and date-only values, while still rejecting non-dates. -
#1560
e5b95e1Thanks @marcusbellamyshaw-cell! - Fixes a cryptic build failure when a configured plugin has no resolvable entrypoint (#1416). Passing an inlinedefinePlugin({...})result directly toplugins: []previously failed deep in the bundler with an unhelpful "failed to resolve import" error. The build now fails fast with a clear message that names the offending plugin and explains thatplugins: []entries must resolve to a file or package entrypoint — move the plugin into its own module and reference it from there. -
#1603
13b87b7Thanks @Vallhalen! - Fixes silentnullentries on wide-schema collections under Cloudflare D1. The content loader's single-queryLEFT JOIN _emdash_seoadded 5 alias columns to every result set, which pushed collections with ~95+ flat user fields past D1's per-query column limit (~100). The query failed withD1_ERROR: too many columns in result set, the error was wrapped as a genericFailed to load entry, and the call site surfacednull. SEO is now folded into a single aggregated JSON column (mirroring how byline and taxonomy hydration already work), keeping the result-set width bounded regardless of how wide the collection schema gets while preserving the single round trip. -
#1542
8f7604dThanks @marcusbellamyshaw-cell! - Fixes a crash that returned HTTP 500 on every route on Cloudflare Workers when native plugins are registered withdefinePlugin(Cannot access 'SIMPLE_ID' before initialization). Plugin registration is now safe regardless of bundle ordering. -
#1554
3d80be5Thanks @marcusbellamyshaw-cell! - Fixes collectionwheretaxonomy filters matching nothing when filtering a non-default locale by its localized term slug. Term slugs now resolve in the active query locale (#1480). -
#1674
d1116aeThanks @khoinguyenpham04! - Adds the internal media usage index foundation for upcoming usage-aware media workflows. This creates the usage index schema during migrations but does not change Media Library behavior yet. -
#1399
192741fThanks @scottbuscemi! - Cut per-render D1 round trips on public pages by caching taxonomy definitions across the worker isolate, and harden the runtime/DB singletons against bundler module duplication.Every public render that hydrates entry terms read
SELECT * FROM _emdash_taxonomy_defs(viagetTaxonomyDefs→getCollectionTaxonomyNames), which only had per-request caching. On Cloudflare D1, where the worker colo is often far from the database primary, each query is a ~40ms cross-region round trip, so this fired on every warm request for no benefit — taxonomy definitions change extremely rarely (created via the admin API or a seed; there is no edit/delete-def path). They're now cached per-isolate behind aglobalThisSymbol holder (the same two-tier pattern assettings/index.tsand the byline field-defs cache), keyed by resolved locale and invalidated in-memory by every def write (handleTaxonomyCreate, seed application). Invalidation is in-memory rather than a persisted version probe on purpose: a per-request version read would merely replace the query being removed, yielding no net saving on warm isolates. Isolated databases (playground / DO preview) bypass the cache.Separately, the cached runtime instance, the DB-instance cache, and the in-flight DB-init promise (
astro/middleware.ts,emdash-runtime.ts) were plain module-scoped variables. Under Vite SSR chunk duplication those can become multiple independent copies, letting cold-start migrations and bootstrap reads re-run on requests that should have hit the warm cache. They now live onglobalThisbehind Symbol keys, matching the existingSETUP_VERIFIED_KEY/ request-context / request-cache singletons.No schema changes, no public API changes, fully backwards compatible.
-
#1692
737da19Thanks @MA2153! - Restores the missingidx_taxonomies_parentindex ontaxonomies(parent_id), which was silently dropped by the i18n table rebuild in an earlier version. Installs upgrade automatically; hierarchical (parent/child) taxonomy lookups are indexed again. -
#1696
5299d38Thanks @ascorbic! - Fixes i18n collection sitemaps so untranslated entries include self hreflang and x-default alternates.
0.25.1
Patch Changes
-
#1628
d4237ebThanks @MA2153! - Fixes missing image dimensions and LQIP placeholders (blurhash, dominant color) on media created through signed-URL uploads, pluginctx.media.upload(), and WordPress import. These were only generated for direct (local-storage) uploads, so production (R2/S3) media had no placeholders.LQIP placeholders are now cached on the stored media value of content fields (alongside
width/height) and on images inserted into rich text, so the<Image>component and portable-text image blocks render a blur/color placeholder before the image loads without a runtime lookup. -
#1654
2216dcaThanks @swissky! - Fixes the sitemap<lastmod>value so it is always a valid W3C Datetime. Timestamps stored via the database default (datetime('now')/CURRENT_TIMESTAMP) or carried in from imports were emitted as a space-separatedYYYY-MM-DD HH:MM:SSstring, which Google Search Console rejects as "Invalid date". They are now normalized to ISO 8601. -
Updated dependencies [
3960d49]:
0.25.0
Minor Changes
- #1658
1f4aa59Thanks @ttmx! - Adds a content restore hook for plugins to react when trashed entries are restored.
Patch Changes
-
#1662
942fac6Thanks @scottbuscemi! - Treats API-token and OAuth-token (Authorization: Bearer ec_pat_*/ec_oat_*) requests as authenticated when choosing the request-scoped database connection. These requests carry no session cookie, so they were previously classified as anonymous and could be routed to a read replica (D1) or the query cache (Hyperdrive split caching), breaking read-your-writes for API clients. They now use the primary/uncached connection like session-authenticated requests. -
#1543
38a63d5Thanks @marcusbellamyshaw-cell! - Fixes the admin author filter returning HTTP 500 (NOT_CONFIGURED/ "EmDash is not initialized") for every collection. ThehandleContentAuthorshandler was never exposed on the per-requestlocals.emdashobject in middleware, soGET /_emdash/api/content/{collection}/authorsalways tripped its not-initialized guard while sibling content routes worked normally. -
#1556
0f8d1ffThanks @marcusbellamyshaw-cell! -SchemaRegistry.updateField(andemdash seed --on-conflict update) no longer silently ignore a field'stypechange (#1397). Previously, changing a field's type inseed.jsonand re-seeding reported success and bumped the updated count while leaving_emdash_fields.type/column_typeat their old values, so generated types and column mappings went stale with no warning.UpdateFieldInputnow acceptstype: a change whose underlying column type is unchanged (e.g.string→slug, bothTEXT) is applied, and a change that would alter the column type (e.g.text→portableText,TEXT→JSON) is rejected with a clearFIELD_TYPE_COLUMN_CHANGEerror pointing to the need for a manual content migration, instead of silently corrupting the metadata.
0.24.1
Patch Changes
-
#1646
c962929Thanks @mvanhorn! - Fixes hierarchical taxonomy terms losing their parent in translated locales. A child term now stores its parent's translation group instead of a locale-bound row id, so translating a parent automatically re-nests its existing children in every locale instead of flattening them to the root. A forward-only migration backfills existing parent links. -
#1644
d64c961Thanks @masonjames! - Fixes React 19 development console warnings from the visual editing toolbar'suseSyncExternalStoredependency path. -
Updated dependencies []:
0.24.0
Minor Changes
-
#1577
79fc8b5Thanks @marcusbellamyshaw-cell! - Adds offset pagination togetEmDashCollectionfor numbered archive routesgetEmDashCollectionnow accepts anoffsetoption alongsidelimit, so you can render numbered archive URLs like/page/2or/tag/security/page/3without walking cursors or over-fetching from the start:const perPage = 20; const { entries, hasMore } = await getEmDashCollection("posts", { limit: perPage, offset: (page - 1) * perPage, orderBy: { published_at: "desc" }, });Results now include a
hasMoreboolean wheneverlimitis set, so you can show a "next page" link without an extra count query.offsetis ignored when acursoris supplied — cursor (keyset) pagination still wins.
Patch Changes
-
#1558
e659a5cThanks @marcusbellamyshaw-cell! - Fixes EmDash overriding security headers set by the host site (#1393). The baselineX-Content-Type-Options,Referrer-Policy, andPermissions-Policyheaders were applied unconditionally, overwriting stricter values a host had already set on its own routes. These headers are now applied only when the host hasn't set them — matching the existingContent-Security-Policybehavior — so a host's own values win while EmDash still provides defaults when none are set. -
#1636
d8487f9Thanks @MA2153! - Fixesctx.cronbeing undefined duringastro devunder the@astrojs/cloudflareadapter, which silently prevented plugins from scheduling cron tasks and stopped thecronhook from ever firing in local dev. The in-process scheduler now keys off Astro's command rather than Vite's, so plugin cron, scheduled publishing, and cleanup run again.
0.23.0
Minor Changes
- #1349
bd6cc3aThanks @MA2153! - Breaking: generated TypeScript interface names inemdash-env.d.tsnow derive from the collection slug (singularized) instead oflabelSingular. This fixes invalid identifiers (labels with spaces/punctuation) and duplicate identifiers (two collections sharing a label), while keeping names singular so each interface reads as a single entry (slugposts→Post,blog_posts→BlogPost). Interfaces are renamed wherever the old label-derived name differed from the slug. Users should regenerateemdash-env.d.ts(emdash typesor dev-server start) and update any direct interface references in their code.
Patch Changes
-
#1593
b4d7228Thanks @ascorbic! - Fixes the admin stylesheet leaking onto public routes inastro dev. The compiled Kumo/Tailwind theme was injected into every page's<head>, overriding host:roottokens (--text-base,--text-lg, ...) and styling otherwise-unstyled pages. The admin shell now loads its stylesheet as a route-scoped<link>, so public routes are unaffected — matching production behaviour. -
#1625
d74269dThanks @ascorbic! - Resolves the database connection at use-time for the cron sweep, plugin hook contexts, and media providers instead of capturing it once at startup. This makes scheduled publishing, plugin cron, and database-querying plugin hooks work on connection-backed adapters like Postgres over Cloudflare Hyperdrive, where a connection is bound to the event that opened it. Stateless adapters (D1, Node SQLite) are unaffected. -
#1617
e39984fThanks @ascorbic! - Cuts cold-start latency by batching runtime initialization reads into a single round trip. On a fresh isolate (or Worker), the auto-seed check, plugin-state load, and site-info load now run as one batched query on backends that support it (Cloudflare D1, Durable Objects) instead of several serialized round trips. On D1 this roughly halves runtime init time on cold start. Other backends (Node/SQLite) are unaffected. -
#1559
280b877Thanks @marcusbellamyshaw-cell! - Fixes the editor toolbar leaking into a shared cache (#1398). When a logged-in editor browsed the public site behind a shared cache (such as Cloudflare), responses carrying the injected toolbar could be cached and then served to anonymous visitors, exposing the toolbar markup and the fact that a session was active. Toolbar-bearing responses are now markedCache-Control: private, no-storeso they are never shared-cacheable; responses without an injected toolbar keep their original caching. -
#1553
7fca12fThanks @marcusbellamyshaw-cell! - Byline avatar hydration now includes the media LQIP placeholder fields (#1457). Content byline credits already folded in the avatar'savatarStorageKeyandavatarAltvia the media join, but dropped theblurhash/dominant_colorplaceholder columns, so author avatars couldn't render a low-quality image placeholder while loading even though the media stored one.BylineSummarynow also carriesavatarBlurhashandavatarDominantColor, populated bygetContentBylines,getContentBylinesMany, andfindByUserIds(and surfaced in the byline API response), so themes can paint a blurhash/dominant-colour placeholder for byline avatars exactly as they can for other media. -
#1613
fd077e0Thanks @scottbuscemi! - Fixes a build failure in theEmDashMediacomponent. The component-embed branch contained HTML comments (<!-- ... -->) inside a JSX expression, which the Astro compiler rejects with "Unexpected token", breaking every productionastro buildand returning 500s in dev on any page that renders media. The note is now a JSX comment. -
#1389
9ebb47eThanks @nanangdev! - Fixesemdash export-seed --with-content=allso it exports content from every collection, matching the documented behaviour. Previously the literal string"all"was treated as a collection name and matched none, producing an emptycontentblock. The bare flag and--with-content=truewere the only sentinels honoured. -
#1616
8c7bc81Thanks @MA2153! - Fixes plugins declaring themedia:writecapability receiving a read-onlyctx.mediawith noupload(). The plugin context only granted a writable media surface when an internal upload-URL provider was wired, which the runtime never supplied — soctx.media.upload()was alwaysundefined. Write access is now granted whenever storage is configured (allupload()needs), andgetUploadUrl()is derived from storage when no provider is set. Amedia:writeplugin on a site without storage now logs a warning instead of silently degrading to read-only. -
#1555
55613e1Thanks @marcusbellamyshaw-cell! - Plugin route handlers that callctx.request.json()(or.text(),.formData(),.arrayBuffer(),.blob()) now get a clear error pointing them toctx.inputinstead of the runtime's cryptic "Body has already been read" failure (#1293). EmDash parses the request body once before the handler runs and exposes it asctx.input, leavingctx.request's stream consumed; the request handed to handlers now guards those body-reading methods with an actionable message. All other request members (url,method,headers,signal, …) are unaffected. -
#1396
c5f58b9Thanks @nanangdev! - fix: render text alignment from rich-text editor end-to-end (#1201)The previous fix in
text-align-round-trippatched only thepackages/core/src/content/converters/pair but the rich-text editor saves through two other ProseMirror ↔ Portable Text converters that each carried their own copy of the same logic — so reporter and maintainer kept seeing alignment dropped on save:packages/admin/src/components/PortableTextEditor.tsx(admin save path)packages/core/src/components/InlinePortableTextEditor.tsx(in-page inline editing)
Both now forward
node.attrs?.textAlignfor paragraphs and headings (onlycenter,right,justify—leftis the editor default and is omitted so existing content stays byte-identical) and restore it on the reverse path. Each editor's localPortableTextTextBlockinterface gained thetextAlign?: "left" | "center" | "right" | "justify"field, mirroring the type inpackages/core/src/content/converters/types.ts.The Portable Text frontend renderer now emits a WordPress-style
has-text-align-{value}class on the rendered<p>/<h1..h6>/<blockquote>whenever the block carriestextAlign. A newBlockcomponent is added underemdash/uifor callers composing custom Portable Text components who want to keep the EmDash behaviour. The class allowlist is enforced viaObject.hasOwn, so a hostile or hand-edited Portable Text block cannot inject arbitrary class names.Consolidating the three duplicated converter pairs into a single shared module is a follow-up refactor and intentionally out of scope here.
-
#1619
c056060Thanks @ascorbic! - Speeds up content reads by fetching each entry or collection together with its author bylines and taxonomy terms in one database query instead of three. This cuts time-to-first-byte on hosted databases like D1 where every query is a network round trip. -
#1406
c43c412Thanks @SailingGreg! - Honor image alignment from WordPress imports at render and in the editor, and surface display-size controls for migrated images.The Gutenberg to Portable Text importer already captured image
alignment, but it was dropped by the renderer and not editable.Image.astronow emitsemdash-image--align-*classes (left/right float, center, wide/full), the admin editor threadsalignmentthrough the PortableText/TipTap serializer and image node and adds an alignment control that reflects in the node view, and the Display Size panel now shows for migrated images that carry only display dimensions. -
#1614
b5ea8e7Thanks @scottbuscemi! - Fixes request-scoped database adapters that hold a real connection (e.g. Postgres over Cloudflare Hyperdrive) so they work on Workers.locals.emdash.dbis now resolved lazily, so routes get the per-request connection instead of a snapshot of the shared singleton, and a request-scoped connection is now closed only after the response body finishes streaming rather than before — Astro streams HTML while components still query, so closing earlier broke server-rendered pages. No effect on D1 or other stateless bindings. -
#1396
c5f58b9Thanks @nanangdev! - fix(core/converters): persist text alignment from rich-text editor through ProseMirror ↔ Portable Text round-trip (#1201)prosemirrorToPortableTextnow readsnode.attrs.textAlignfor paragraphs and headings and forwards it into the Portable Text block.portableTextToProsemirrorrestores it back into ProseMirror node attrs. ThePortableTextTextBlocktype gained an optionaltextAlign?: "left" | "center" | "right" | "justify"field. Left alignment is not persisted (it is TipTap's default and would bloat existing content). -
Updated dependencies []:
0.22.0
Minor Changes
-
#1540
cf17c9fThanks @marcusbellamyshaw-cell! - Add comment reactionsVisitors can now react to approved comments (positive-only "like" by default, extensible to other reaction types). Reactions are deduped per voter via IP hash.
The
<Comments>component gains two opt-in props:reactions— render a like button per comment and attach live counts.sort="best"— order top-level comments by a Reddit-style Wilson score lower bound (sort="oldest", the previous behavior, remains the default).
Posting is progressively enhanced (a tiny inline script, no framework island) and emitted only when
reactionsis enabled, so pages that don't use reactions ship zero additional JavaScript. Fully additive and backward-compatible: a new table, a new route, and new optional props with behavior-preserving defaults. -
#1484
d46abfdThanks @swissky! - Forward declarativeportableTextBlocksandfieldWidgetsfrom standard and sandboxed (from-config) pluginsStandard- and sandboxed-format plugins could already declare admin pages and dashboard widgets, but their declarative Portable Text block types and field widgets were dropped during adaptation — only native-format plugins surfaced them. Since the admin editor reads these from the manifest, the slash-menu entries and Block Kit forms never appeared for non-native plugins.
adaptSandboxEntrynow forwards both for standard plugins and sandboxed plugins resolved from config (thevirtual-modules.tscodegen path), so those formats can contribute Portable Text blocks and field widgets. The site-side render component (componentsEntry) still requires native format, which is unchanged.Note: marketplace bundles loaded from R2 are not covered yet — the bundle manifest schema, both
extractManifest()implementations, and the bundler don't carry these fields, so this is scoped to standard/sandboxed-from-config. Full marketplace support is tracked as a follow-up. -
#1564
6a97bacThanks @ascorbic! - Adds byline management to the MCP server:byline_list,byline_get,byline_create,byline_update,byline_delete, andbyline_translationstools, plus abylinesargument oncontent_createso credits can be attached at creation time (previously onlycontent_updateaccepted them). -
#1378
640e60aThanks @scottbuscemi! - Add an optional distributed object cache for query results.Content reads (
getEmDashCollection,getEmDashEntry,resolveEmDashPath) and chrome reads (site settings, menus, taxonomies) can now be served from a fast key/value store instead of hitting the database on every request. This sits beneath the per-request cache and above the database, dramatically reducing read pressure on D1/SQLite — especially valuable on Cloudflare, where KV handles far more requests than D1.The cache is off by default and fully opt-in. Configure a backend in
astro.config.mjs:import { kvCache } from "@emdash-cms/cloudflare"; // Workers KV (distributed) import { memoryCache } from "emdash/astro"; // in-isolate (Node / local dev) emdash({ database: d1({ binding: "DB" }), objectCache: kvCache({ binding: "CACHE" }), });with a matching KV binding in
wrangler.jsonc:{ "kv_namespaces": [{ "binding": "CACHE", "id": "<namespace-id>" }] }Invalidation is epoch-based and automatic: content, byline, taxonomy, menu, and settings writes bump a per-namespace version, instantly orphaning stale entries (no key enumeration needed). Preview and visual-edit requests bypass the cache, so editors previewing see live content; other reads are served from the cache, which only ever stores published content. After an edit, anonymous visitors may see stale content until isolates pick up the bumped epoch — immediate on the in-isolate memory backend, and on KV bounded by KV's edge-cache propagation (eventually consistent, up to ~60s) plus the
revalidatewindow (default 1s, configurable).New public API:
cachedQuery,invalidateObjectCache,invalidateCollectionCache,contentNamespace/contentNamespaces,CacheNamespace, theObjectCache*types (fromemdash),memoryCache()(fromemdash/astro), andkvCache()(from@emdash-cms/cloudflare). Existing sites are unaffected until they opt in. -
#1549
a623c6bThanks @ascorbic! - Fixes responsive image optimization for storage-backed media on Cloudflare. EmDash now wraps Astro's image endpoint to read media bytes directly from your storage adapter instead of fetching them over HTTP, soImageand Portable Text images generate a real responsivesrcseteven when the site is behind Cloudflare Access (previously these 404'd and fell back to a full-size image). This is on by default and also removes an internal HTTP round-trip on Node. Setimages: falsein youremdash()config to leave Astro's image endpoint untouched.
Patch Changes
-
#1579
0bfab91Thanks @ascorbic! - Fixes a Cloudflare build failure where the barezodimport used by the type generator was not externalized, causing the bundler to fail. EmDash sites on Cloudflare now build correctly under Astro 7. -
#1584
707edeeThanks @ascorbic! - Fixes the dev setup-bypass endpoint accumulating duplicatedev-bypass-tokenaccess tokens. Re-running it (for example after a dev reset) now replaces the previous token with a fresh one instead of adding another row. -
#1581
a36b5f3Thanks @naota70! - Fix the setup probe baking a redirect to/_emdash/admin/setupinto prerendered pages. On a build whose database is empty (e.g. CI/first deploy), the anonymous setup probe saw a missing migrations table and returnedcontext.redirect("/_emdash/admin/setup"); a prerendered route serializes that into static HTML and ships the redirect to production. The probe is now skipped entirely whencontext.isPrerenderedis true — there is no live visitor to send to the wizard at build time, and the build database is legitimately empty. Live (SSR) requests are unaffected. -
#1509
ed921d8Thanks @ascorbic! - Speeds up public page loads on remote databases (D1, Durable Objects) by eagerly warming site-global layout data (menus, widget areas, taxonomy term lists, settings) at the start of the request, so the layout's per-component reads overlap into roughly one round trip instead of executing serially. Transparent to site code; no template changes needed. -
#1563
c219affThanks @ascorbic! - Lets the MCPcontent_createandcontent_updatetools accept a Markdown string for rich text (portableText) fields, converting it to Portable Text automatically — the same behaviour the EmDash client already has. Passing a Portable Text JSON array still works. Authoring rich text as a single Markdown string avoids the large nested JSON payloads that agents frequently emit as malformed JSON, causing the tool call to fail before it reaches the server.content_getandcontent_listgain an optionalmarkdownflag (default false) that returns rich text fields as Markdown instead of Portable Text arrays. -
#1580
ca47da4Thanks @ascorbic! - Fixes query instrumentation (EMDASH_QUERY_LOG=1) so the per-query NDJSON log captures queries issued while the page is still streaming, not just those that ran before the response headers were sent. The per-query log now matches the totals already reported by the[emdash-stream-end]summary line. -
#1538
cb1c689Thanks @swissky! - Fix logged-in pages hanging indefinitely on Cloudflare Workers (#1274). A request cancelled mid-session.get("user")could leave the session-store read as a promise that never settles, poisoning the isolate so every later session-bearing request hung (0-CPU, multi-minute,canceled) — reliably reproducible on fresh isolates right after a deploy. Every session read on the request path (the main middleware, the auth middleware, and the preview-snapshot route) now goes through a sharedresolveSessionUser()helper that anchors the read withafter()so a cancelled request still drives it to completion (preventing the isolate poisoning), with a fail-closed timeout backstop that degrades a still-stalled read to "unauthenticated for this request" rather than hanging. -
Updated dependencies [
f4925b1]:
0.21.0
Minor Changes
-
#1382
b6a5facThanks @ascorbic! - The Astro dev server now prints absolute, clickable URLs for the admin UI and (when enabled) the MCP server, along with a dev-bypass shortcut link that signs you in as a dev admin without going through passkey setup or auth. The startup banner also shows the installed EmDash version. The dev-bypass link is dev-only and the underlying endpoint returns 403 in production. -
#1508
e9cd7b7Thanks @swissky! - Add a "Gone (410)" rule type. Redirect rules now support410(Content Deleted) and451(Unavailable For Legal Reasons) as terminal statuses — served directly with no destination — and the 404 log offers a one-click "Mark as Gone (410)" action next to "Create redirect". A 410 tells search engines a URL was intentionally and permanently removed, so it is deindexed faster than a 404.
Patch Changes
-
#1511
23c37f3Thanks @CacheMeOwside! - Fixesemdash doctoralways reporting "could not query users table". The users check now queries the correct table and reports the actual user count. -
#1530
997d7eeThanks @ascorbic! - Fixes admin and content pages intermittently hanging and returning 524 timeouts on Cloudflare Workers. The per-isolate caches for byline custom-field definitions and resolved site secrets could retain a never-settling promise left behind by a cancelled request, which wedged every later request on that isolate until it was evicted. Both caches now cache the resolved value behind a reclaimable single-flight lock, so a cancelled request can no longer stall the isolate. -
#1386
37e848bThanks @auggernaut! - Skips default robots.txt and sitemap.xml route injection when the host site defines its own root routes.
0.20.0
Minor Changes
-
#1461
b01aa9bThanks @ascorbic! - Fixes registry installs failing with "Plugin manifest has changed since you consented" for plugins that declare hook-registration capabilities (email transport, email events, page fragments) or read user records. Plugin bundles now declare their access as a structureddeclaredAccesscontract that the registry record, the install-consent dialog, and the sandbox all read consistently, so every capability a plugin declares is shown for consent and enforced — no capability is silently dropped. Re-publish affected plugins to adopt the new bundle format; existing installs are unaffected. -
#1425
3e344afThanks @swissky! - Repeater fields supportimagesub-fields with the media picker (#1424)Repeater rows previously rendered every non-scalar sub-field as a plain text input, so galleries had to be built from hand-pasted URLs. Image sub-fields now render the same media-picker UI as top-level image fields (select, preview, change, remove) and store the same MediaValue shape — legacy string URLs keep working.
Includes:
imagein the schema-builder sub-field type select, the sharedImageFieldRendererextracted out ofContentEditorfor reuse, and the sub-field type whitelists in core (REPEATER_SUB_FIELD_TYPES+ the API Zod enum) extended — the Zod enum also gains the previously missingurlentry that the builder already offered.
Patch Changes
-
#1447
141aa11Thanks @ascorbic! - Fixes@atcutepeer dependency warnings on install (#1435)Installing EmDash pulled in mismatched
@atcutepackage versions, sopnpm install/npm installreported unmet peer warnings for@atcute/identityand@atcute/lexicons. The bundled@atcutedependencies are now aligned on v2 and installs are clean. If your project also depends on@atcutepackages directly, note they have moved to v2 (@atcute/client5,@atcute/lexicons2,@atcute/atproto4,@atcute/oauth-node-client2). -
#1492
7688f0bThanks @ascorbic! - Fixes a read-your-writes gap with database read replication: the session bookmark cookie is now persisted even when page rendering throws after a successful write, so an immediately-following request can't read pre-write state from a lagging replica. -
#1459
c7166b0Thanks @mvanhorn! - Fix scheduled entries staying hidden after their scheduled time (#1402)isVisible()readscheduledAtviadataStr, which returned an empty string for theDatethe loader produced, so entries whose scheduled time had passed never became visible. The visibility check now reads the scheduled time correctly. -
#1458
9c994adThanks @mvanhorn! - Fixnpx emdash typescrash caused by the schema endpoint envelope (#1188)The
/schemaroute returned an enveloped JSON body whileclient.request()already unwraps the.datafield, soemdash typesreceivedundefinedand crashed. The route now returns the un-enveloped shape the client expects. -
#1489
eddaf91Thanks @ascorbic! - Fixes admin pages hanging indefinitely (and eventually returning 524 timeouts) on Cloudflare Workers. The worker-lifetime caches for site settings and search-index health could be left holding a request that never completed (for example when a visitor's request was cancelled mid-load), which then stalled every later request served by that worker until it was recycled. These caches now keep resolved values rather than in-flight requests, so a cancelled or interrupted request can no longer wedge the rest. -
#1481
afc3a0fThanks @MA2153! - Fixes collectionwherefilters to apply every taxonomy key instead of silently dropping all but the first. Filtering by two or more taxonomies (e.g.{ category: ["news"], region: ["emea"] }) now returns the intersection — entries tagged in each taxonomy — matching how field and byline filters already compose. -
#1498
3d423a7Thanks @ascorbic! - Reduces redundant database queries when rendering content pages: widget areas are now request-cached, taxonomy term usage-counts are fetched once per request instead of once per taxonomy widget, andgetTermsForEntriesreuses already-hydrated terms instead of re-querying. Fewer round trips per page on every backend. -
#1492
7688f0bThanks @ascorbic! - Adds anrpc.countServer-Timing metric reporting physical database round trips, distinct fromdb.count(logical queries). Backends that batch (the new Durable Objects SQL driver coalesces same-turn reads into one round trip) can now surface how many round trips a request actually made. -
#1504
8807701Thanks @swissky! - Adds image entries to per-collection sitemaps. When a content entry has an SEO image, the sitemap now emits it as a Google<image:image>entry, helping Google discover and index page images for Google Images. -
Updated dependencies [
141aa11,ddf8f0d,68840a9,eaedec0,8bb20c4,fb31240,022fd66,5d8358b,ce96271,b2e65ac,589d07f,d6269e7,325c673,af4af50,c48604b,52ea731,acfeb89,6c1fe5c,6246774,b01aa9b,3e344af,5f7cd11,263392f,eddadf8]:- @emdash-cms/admin@0.20.0
- @emdash-cms/registry-client@0.3.2
- @emdash-cms/plugin-types@0.1.0
- @emdash-cms/auth@0.20.0
- @emdash-cms/gutenberg-to-portable-text@0.20.0
0.19.0
Minor Changes
-
#1442
e96587fThanks @ascorbic! - Add status, author, and date-range filtering to the admin content list (#1288). The content list API gainsauthorId,dateField,dateFrom, anddateToquery params (all additive and optional), and a newGET /_emdash/api/content/{collection}/authorsendpoint lists the distinct authors of a collection's content (gated oncontent:read). Filtering runs server-side, so it works across the whole collection rather than only the loaded page. -
#1439
023893aThanks @ascorbic! - Add content filtering by byline credit.getEmDashCollectionnow accepts a reservedbylinekey inwherethat returns entries credited to a byline in any position, including co-authored entries where the byline is a secondary credit. This makes author archive pages possible without querying the database directly. Pass a single byline translation group or an array to match any of several.const byline = await getBylineBySlug("jane-doe"); const { entries } = await getEmDashCollection("posts", { where: { byline: byline.translationGroup ?? byline.id }, orderBy: { published_at: "desc" }, });A
getEntriesByByline(collection, byline, options)helper wraps the same filter, mirroringgetEntriesByTerm. -
#1367
f41092bThanks @MA2153! - Add content-reference database schema:_emdash_relations(relationship-type definitions, row-per-locale) and_emdash_content_references(directed, locale-agnostic edges between content entries linked bytranslation_group). Additive, forward-only migration043; no existing tables change. Groundwork for reference fields — no field type, API, or admin UI yet. -
#1438
850c1b7Thanks @ascorbic! - Generate responsivesrcsets for media rendered with theImageand Portable Text image components. EmDash now routes locally/R2-stored media through Astro's configured image service (astro:assets) -- the Cloudflare Images binding on Workers, sharp on Node -- producing width-appropriate candidates and modern formats (e.g. WebP) instead of a single full-size<img>.This works automatically:
- Media served from a configured storage
publicUrl(R2 custom domain, S3/CDN) is authorized and optimized. - Same-origin proxied media (local storage, or R2 without a public URL) is optimized when
siteUrlis set; the matchingimage.remotePatternsentry is registered for you, scoped to the media route. - In
astro devit works out of the box without configuration.
When optimization isn't possible (no image service available, an unauthorized host, or unknown dimensions) the components fall back to a plain
<img>, so existing sites keep rendering exactly as before. No template changes are required. - Media served from a configured storage
-
#1312
c39789cThanks @ascorbic! - Drive scheduled publishing from a real heartbeat instead of request side effects (#1303).Content scheduled via the admin now actually transitions to
publishedwhen its time arrives. Previously nothing promoted the row —statusstayedscheduledandpublished_atstayed null forever.A new sweep (
publishDueContent) promotes due content and runs alongside the existing cron tick and system cleanup:- Node / single-process: the timer-based scheduler already drives it — no action needed.
- Cloudflare Workers: a
scheduled()handler driven by a Cron Trigger now runs the sweep. The request-drivenPiggybackScheduleris gone, so there are no maintenance side effects on visitor requests.
@emdash-cms/cloudflareships a Worker entry that wraps Astro's handler with thescheduled()handler (@emdash-cms/cloudflare/worker, pluscreateScheduledHandler()for hand-assembled Workers). When a cache provider is configured, the handler also purges edge-cache tags for whatever it published, so stale snapshots produced before the scheduled time are evicted.Migration for existing Cloudflare sites. New sites get this from the templates. Existing deployments must update two files:
// src/worker.ts export { default, PluginBridge } from "@emdash-cms/cloudflare/worker";// wrangler.jsonc "triggers": { "crons": ["* * * * *"] }Without the Cron Trigger, scheduled publishing and plugin cron do not run on Workers.
Scheduled publishing matches manual publishing exactly: it fires
content:afterPublishhooks (search indexing, webhooks, syndication), and records the scheduled time aspublished_aton first publication rather than the (later) sweep time. The sweep claims each row atomically before promoting it, so an entry unscheduled or rescheduled just before its time is never published, and overlapping sweeps can't double-publish. Localastro devkeeps running the timer-driven sweep even under the Cloudflare adapter (where production relies on the Cron Trigger).Each tick promotes at most 100 items per collection (a large backlog drains over successive ticks) so a single Worker invocation can't exhaust its CPU/subrequest budget, and edge-cache tags are purged incrementally after each collection's batch rather than only at the end. On Node, the maintenance interval is capped at 60s so scheduled-publish latency matches the Cloudflare Cron Trigger cadence instead of lagging up to five minutes when no plugin cron is due.
Patch Changes
-
#1307
cedfcc5Thanks @emdashbot! - Read?locale=in content write routes (DELETE, publish, unpublish, discard-draft, schedule, unschedule) and forward it tohandleContentGetfor locale-aware slug resolution (#1242) -
#1420
c63f9caThanks @swissky! -getTaxonomyTerms()now returns the termdescriptionfor flat (non-hierarchical) taxonomies (#1419)The query already fetched the
datacolumn, but the non-hierarchical branch dropped it when mapping rows toTaxonomyTerm— only hierarchical taxonomies (viabuildTree) parsed the description. Descriptions set in the admin UI are now returned for both kinds of taxonomies. -
#1426
61ea3c9Thanks @MA2153! - Fix seed CLI hardcodingenas the default locale (#1421)emdash export-seednow emits a top-leveldefaultLocalefor single-locale projects, andemdash seed(applySeed) honors it when backfilling the locale of menus, taxonomies, and content rows that omit an explicitlocale. Previously anexport-seed→seedround-trip silently rewrote a non-endefault locale (e.g.de) toen, since the CLI runs outside the Astro runtime and the fallback collapsed toen. Projects whose default locale isenare unaffected. -
#1445
a4c2af2Thanks @ascorbic! - FixgetEmDashEntry/getEmDashCollectionhydrating taxonomy terms in the request-context or default locale instead of the entry's resolved locale (#1441). When querying with an explicitlocale(or via a localized route),entry.data.termscould return default-locale term variants even though the content row was correctly localized. Term hydration now uses the same resolved locale as the content query. -
Updated dependencies [
e96587f,cedfcc5,7e70abc,783e663,157237d]:
0.18.0
Patch Changes
-
#1391
8a766b8Thanks @mvvmm! - Addfetchpriority="high"to priority EmDash images so above-the-fold images can be requested eagerly and prioritized by the browser. -
#1405
bdabff7Thanks @ascorbic! - Fixed a bug where a visitor disconnecting at the wrong moment during a cold start could leave that server instance permanently broken: every subsequent request to it would hang until the platform timed it out (a 524 error on Cloudflare, after 100 seconds), and the instance stayed broken until it was recycled. Sites no longer get stuck — startup now recovers automatically, and in the worst case a request fails fast with an error instead of hanging. -
#1408
afc065cThanks @ascorbic! - Faster cold starts. The first request a fresh server instance handles — after a deploy, or when traffic picks up again after a quiet spell — now runs its startup steps concurrently instead of one at a time, shaving database and storage round trips off that first page load. Especially noticeable on Cloudflare, where new instances spin up frequently. -
#1409
7ee9467Thanks @ascorbic! - Pages render with fewer database round trips:- Tag and category archive pages load faster —
getTerm()fetches its details in parallel instead of one query at a time. - Pages with several menus (header, footer, …) no longer repeat the same lookup for each menu.
- Entries fetched with
getEmDashEntry/getEmDashCollectionalready include their taxonomy terms — you can now readentry.data.terms?.tagdirectly (it's typed in your generatedemdash-env.d.ts) instead of making a separategetEntryTerms()call. The bundled templates have been updated to do this.
- Tag and category archive pages load faster —
-
#1407
f9362d7Thanks @ascorbic! - Query instrumentation (EMDASH_QUERY_LOG=1) now captures the whole request, not just the part before the response headers are sent. Queries issued by components while the page is still streaming were previously invisible to the Server-Timing numbers; a final[emdash-stream-end]log line now reports the complete query count, database time, and cache hits for each request, so you can see where a slow page really spends its time. No effect when instrumentation is off. -
Updated dependencies [
d2829e3]:
0.17.2
Patch Changes
-
#1356
4e11daaThanks @ascorbic! - Scope Postgres table/column introspection to the connection's active schema instead of hardcodingpublic.tableExistsandlistTablesLike(database/dialect-helpers.ts) and two idempotency checks in the019_i18nmigration queriedinformation_schemawithtable_schema = 'public', so a Postgres deployment using a non-public schema (per-tenant or shared-cluster setups) would see tables from the wrong schema or none at all, causing collection/schema operations to misbehave and the i18n migration to skip its column additions. These now usecurrent_schema(), matching the already-correctindexExists/columnExistshelpers and migration038. -
#1167
fe6bc78Thanks @abhishekshankar! - fix(seo): buildMediaUrl handles root-relative paths without doubling the API prefix -
#1345
80f2925Thanks @scottbuscemi! - Fix frontend pages redirecting to/_emdash/admin/setupon a fully set-up site. The anonymous fast-path "setup probe" in the Astro middleware queries_emdash_migrationsto detect a fresh, un-migrated database, but itscatchblock treated every error as "fresh install" — so a transient DB failure (D1 connection loss, replica unavailable, query timeout, cold-start race, locked SQLite) wrongly bounced real visitors to the setup wizard. The probe now only redirects when the error is a genuinely-missing table (via the sharedisMissingTableErrorhelper) and otherwise renders the page normally. ThesetupVerifiedflag is also moved onto aglobalThisSymbol.forsingleton so it isn't duplicated across SSR chunks, which had caused the probe to re-run far more often than intended (and each re-run was another chance to hit the bug). -
Updated dependencies [
4ee75f8]:
0.17.1
Patch Changes
-
#1328
149fc49Thanks @MA2153! - Fixemdash export-seedomitting bylines. The exporter now emits byline profiles as the rootbylines[]array (one entry per translation group, sinceSeedBylinehas no locale axis) and, when content is exported, attaches each entry's ordered byline credits asbylines[]referencing those profiles. Credits are read straight from_emdash_content_bylines(whosebyline_idalready stores the translation group), so the exported seed round-trips back throughapplySeedwith profiles and credits intact. -
#1336
64d5675Thanks @ascorbic! - Pre-bundle EmDash's auth, MCP, and admin-shell dependencies soastro devon Cloudflare no longer triggers a re-optimize + full-reload cascade on the first authenticated/admin/MCP request.These deps (
@oslojs/crypto/{hmac,subtle,rsa},arctic, the MCP server entrypoints,@lingui/react,@cloudflare/kumo/primitives,astro/assets/services/noop) are only imported on routes the initial Vite scan never reaches, so the workerd runtime discovered them one at a time. Each discovery invalidated the optimize cache mid-flight, producingThe file does not exist at ".../deps_ssr/chunk-*.js"errors and repeated full reloads on cold start. Adding them to the Cloudflare SSRoptimizeDeps.includelist front-loads them into a single startup optimize pass. -
#1331
77fff0aThanks @MA2153! - Fixemdash export-seedcollapsing locale variants into duplicate seed ids on i18n projects. The CLI never initializes the runtime i18n config, soisI18nEnabled()was alwaysfalseand the exporter stripped the:localesuffix from taxonomy, menu, and content seed ids — merging every locale variant into one bare id and producing duplicates thatvalidateSeedrejected. The exporter now derives locale-awareness from the data (a project is multi-locale when its i18n-aware tables hold more than one distinct locale), so multi-locale exports keep their per-locale suffixes andtranslationOflinks while genuinely single-locale projects still export bare ids. -
#1340
87c40d3Thanks @emdashbot! - FixgetEmDashCollectionpagination losingnextCursorwith Astro 6 live collections. Astro'sgetLiveCollectionrepacks loader results and drops thenextCursorfield before it reaches the caller. The wrapper now over-fetches by one entry whenever alimitis provided, slices the extra row locally, and synthesizesnextCursorvia the existingencodeEntryCursorhelper — matching the strategy already used by the bucketing path.
0.17.0
Minor Changes
-
#1258
28432b9Thanks @MohamedH1998! - Adds custom fields to bylines. Sites can define site-specific byline metadata (Twitter handle, pronouns, company, localised job title, etc.) via the new/byline-schemaadmin screen, accessed from the Byline schema link button at the top of the Bylines admin page (admin-only).Per-field
translatableflag picks whether values are stored per-locale (one value per locale row in atranslation_group) or shared across every locale variant of the same byline identity. Schema management is gated byschema:manage; value editing bybylines:manage.Custom-field values can be set at both create and update time.
POSTandPUTon/_emdash/api/admin/bylinesaccept the samecustomFieldsmap; the row write and the custom-field writes share a single transaction on Node/PG so a partial failure rolls both back. On D1 (no transactions), a retry POST is treated as completing an abandoned create iff three checks all pass: (a) every fixed column on the existing row matches the new payload (displayName,bio,avatarMediaId,websiteUrl,userId,isGuest, effective locale — null-vs-undefined normalised); (b) the existing row'stranslationGroupmatches what a fresh create with the same input would produce (sourceGroupwhentranslationOfis present,existing.idwhen it isn't); (c) every custom-field value already stored on the row appears in the input payload with an equal value (subset-match, so partial mid-loop crashes can be completed). The recovery branch is conservative on every axis: any fixed-column mismatch, any translation-group mismatch, any overlapping custom-field value mismatch, an input that omits a key the existing row stores, or an input with no custom fields at all → standardCONFLICT. Validation runs before any DB write so a bad value (unknown slug, type mismatch, select-choice miss, non-URL or non-http(s) URL for aurlfield) returns 400VALIDATION_ERRORwithout leaving partial state behind. In the admin, registered fields render inline with Name, Bio, etc. — no separate section header — and are available in the New byline dialog as well as edit.BylineSummarygains an optionalcustomFields: Record<string, CustomFieldValue>property. Existing object-literal consumers stay source-compatible because the property is optional and runtime always returns{}when no fields are registered.Hydration is symmetric with writes: rows are only applied to a byline when they live in the table matching the field's current
translatableflag, so stale rows from atranslatableflip can't leak into hydrated output. Schema mutations on/byline-schemainvalidate the samebyline-fieldsquery the byline form reads, so newly-registered fields appear in the editor without a page reload.urlfield values are parsed withnew URL(...)AND restricted tohttp:/https:schemes at write time so they can't shipjavascript:/data:/mailto:payloads to link rendering. TheBylineFieldEditor"Save" button stays disabled until aselectfield has at least one option; and select-option lists are accumulated on a null-prototype object so option values that collide withObject.prototypekeys render correctly.The field-definitions cache uses parity on
options.byline_fields_versionas a dirty bit: schema mutations flip the counter to odd before the write lands and to a new even value after, with the cache treating any odd version as "bypass the global holder, read fresh from the DB".markVersionDirtyis parity-aware (ensures odd, no-op if already odd) so a crashed prior attempt's leftover dirty state can't get inverted.markVersionCleanis always-advance (+2when starting even,+1when starting odd) so two concurrent mutators can't collapse on the same even key and pin the cache on a partial-set snapshot — every committed mutation produces an observable counter change for cache readers. Idempotent-retry exits (FIELD_EXISTSon create,FIELD_NOT_FOUNDon update/delete, no-op input on update) callmarkVersionCleantoo, which doubles as both the dirty-crash recovery and the false-clean recovery. All version writes useINSERT … ON CONFLICT DO UPDATEso a missing options row can't silently turn invalidation into a no-op.Implements #1174. Builds on the bylines-i18n foundation from #1146.
-
#1215
590b2f9Thanks @scottbuscemi! - First-class HTML block in the admin editor. The existinghtmlBlockPortable Text type (produced by the WordPress and Contentful importers) is now a fully editable block in the rich-text editor. Authors can insert an HTML block via the/htmlslash command and edit raw HTML in a textarea. ImportedhtmlBlockcontent that previously fell through to an opaquepluginBlockplaceholder is now rendered in the same editable UI. The inline (visual-editing) editor preserves HTML blocks as read-only placeholders to prevent data loss.
Patch Changes
-
#1298
cd2dcc6Thanks @ascorbic! - Byline hydration now resolves the author avatar's storage key in the same query.getEmDashCollection/getEmDashEntrypopulateentry.data.bylines[].byline.avatarStorageKey(andavatarAlt) via aLEFT JOINon the media table, so list pages can build a direct avatar URL without a per-bylineMediaRepository.findById. Previously the byline summary exposed onlyavatarMediaId(a bare ULID with no file extension), forcing sites that want direct storage URLs into an N+1 media lookup. A page rendering 20 posts by distinct authors paid ~20 extra queries. The new fields are additive and null on the plain byline finders (findById,findBySlug), which do not join media; rely on the content-credit hydration path for them. -
#1197
62c170fThanks @scottbuscemi! - Persist welcome-dismissed flag in database instead of session. Previously the welcome modal would be shown every time a user logged-in. -
#1295
ee67273Thanks @emdashbot! - fix(core/redirects): match exact redirects regardless of trailing slash (#1271)Exact redirect rules now match requests with or without a trailing slash. A redirect stored with source
/old/will also match a request for/old, and a redirect stored with source/oldwill also match/old/. The stored source is preserved unchanged; the fallback happens at lookup time. -
#1226
9422d6aThanks @scottbuscemi! - Make content list search work on large collections (#1219). The admin content list previously filtered only the rows already loaded on the current page, so an entry far back in a big collection could not be found until you navigated near it. The list endpoint now accepts aqparameter and performs a case-insensitive substring search across the collection's title/name/slug columns server-side (LIKE wildcards in the query are escaped), and the admin search box drives that query (debounced) instead of filtering in memory. Also adds locale-aware composite indexes (idx_{table}_loc_upd/idx_{table}_loc_crt) so locale-filtered content lists stay index-served on large, i18n-enabled tables. -
#1302
1f8190dThanks @WellDunDun! - Fixes locale-aware content updates so REST, CLI, client, and MCP callers can safely update content by slug when multiple locales share the same slug. -
#1224
67f5992Thanks @scottbuscemi! - Fix taxonomy terms not being locale-aware in the content editor (#1218). Term assignments are stored against the per-locale content row while the term'stranslation_groupspans every locale, so resolving terms for an entry must scope to the entry's locale. The content terms endpoint (/content/:collection/:id/terms/:taxonomy) now derives the entry's locale server-side and passes it togetTermsForEntry, and the adminTaxonomySidebarthreads the entry locale through its fetch/save calls (and into its React Query keys, so switching translations refetches). Previously a localized post showed and applied every locale variant of a tag instead of just the variant for its own locale. -
#1227
a40e455Thanks @scottbuscemi! - Add search and filtering to the media library (#1221). The media list endpoint now accepts aqparameter for a case-insensitive filename substring search (which also matches extensions, with LIKE wildcards escaped), alongside the existingmimeTypefilter. The Media Library page gains a filename search box and a type filter (images / video / audio / documents), and the media picker in the content editor now searches the local library by filename too. Previously neither surface could search or filter local media, which made large libraries hard to navigate. -
#1319
69bdc97Thanks @ascorbic! - Fixrequire is not definedcrash on every EmDash API route underastro devon Cloudflare Workers (#1292).@emdash-cms/registry-clientlistedsemver(CommonJS) independencies, which the build externalizes -- so consumers loaded a nested CJS copy. Vite's SSR module runner (workerd) evaluates modules with norequirebinding, so semver's internalrequire()threw and took down any route whose import graph reached registry-client (schema, plugins, env compatibility checks). semver is now bundled into the ESM output, so nothing CommonJS reaches the worker. -
#1285
5e7f835Thanks @ascorbic! - Fix SEO fields (noindex toggle, canonical URL) not affecting rendered pages. The content loader now surfaces per-entry SEO metadata onentry.data.seo, sogetSeoMeta()reflects values set in the admin SEO panel. SEO is folded into the existing entry query via a LEFT JOIN, adding no extra database round-trips. -
#1298
cd2dcc6Thanks @ascorbic! - Seed files can now attach an avatar to a byline.bylines[].avatartakes astorageKey(plus optionalalt,filename,mimeType,width,height) for a file that already exists in the configured storage; applying the seed creates amediarow and links it to the byline viaavatarMediaId. Unlike a content$mediareference, nothing is downloaded or uploaded, which suits seeding bylines alongside a media migration. -
Updated dependencies [
cccf4f2,28432b9,886f2d1,a5dafb3,9422d6a,67f5992,a40e455,69bdc97,34afc14,590b2f9,019d9e4,ba0f3d4,aacdf20,7d55db6]:- @emdash-cms/admin@0.17.0
- @emdash-cms/registry-client@0.3.1
- @emdash-cms/auth@0.17.0
- @emdash-cms/gutenberg-to-portable-text@0.17.0
0.16.1
Patch Changes
0.16.0
Minor Changes
-
#1195
47a8350Thanks @ascorbic! - The per-collection sitemap (/sitemap-{collection}.xml) is now i18n-aware. When Astro i18n is enabled, each translation row is emitted as its own<url>with the correct locale prefix (resolved via Astro's owngetRelativeLocaleUrl, soprefixDefaultLocaleand custompathmappings are honoured). Every entry also lists its sibling translations as<xhtml:link rel="alternate" hreflang="...">(plusx-defaultfor the default-locale variant), grouped bytranslation_group. Sites with a single locale or no i18n configured are unaffected -- their sitemap XML is unchanged. -
#1238
60c0b2eThanks @ascorbic! - Registry plugins can now declare environment requirements. A plugin's manifest may set a release-levelrequiresblock (e.g.{ "env:emdash": ">=1.0.0", "env:astro": ">=4.16" }), which is published into the release record. When browsing a registry plugin, the admin compares those constraints against the running EmDash and Astro versions: if the host doesn't satisfy them, it shows a compatibility warning and disables the Install button. The server enforces the same check on install and update, refusing an incompatible release withENV_INCOMPATIBLEso the gate can't be bypassed. -
#1239
1a4918fThanks @ascorbic! - Plugins published to the experimental registry can now ship icon, screenshot, and banner images. Declare them inemdash-plugin.jsoncunderrelease.artifactsas file refs;emdash-plugin publish --artifact-base-url <url>measures each image's dimensions, uploads it, and records it in the release. The admin plugin detail page renders the icon, banner, and a screenshot gallery, fetched through a server-side image proxy. The proxy resolves each artifact's URL server-side from the validated release record (the client sends only the artifact's coordinates, never a URL), then applies SSRF defences and an image content-type allowlist before serving the bytes. Supported image types are PNG, JPEG, WebP, GIF, and AVIF; SVG is rejected at both publish and proxy because it is active content. -
#1064
33f76b8Thanks @Glacier-Luo! - Adds field-level and range filtering togetEmDashCollection'swhereoption. Previously, only taxonomy-based keys were processed via JOIN; non-taxonomy field names were silently discarded. Now thewhereclause supports exact match (string), multi-value match (string[]), and range comparisons ({ gt?, gte?, lt?, lte? }) on any content table column, all executed at the SQL layer with parameterized queries.
Patch Changes
-
#1159
e312528Thanks @jp-knj! - Fix scheduled posts missing from snapshot export on SQLite/D1 until UTC midnight. -
#1166
668c5e1Thanks @OrangeManLi! - FixesportableTextToProsemirrorflattening nested lists whose subtree mixeslistItemtypes. The outer run-grouping broke on the first nested type switch (e.g. anorderedListchild under abulletListparent), so an input like[bullet L1, number L2, bullet L1]was emitted as three separate top-level lists instead of one bullet list with a numbered sub-list under the first item. InternalconvertList/convertListItemrecursion was already correct — only the outer grouping needed to be widened to includelevel > 1blocks regardless oflistItemtype. -
#1160
f62c004Thanks @CacheMeOwside! - Fixes Postgres server bundles importingbetter-sqlite3, which crashed production starts (pnpm preview,pnpm start) withERR_MODULE_NOT_FOUNDbecause the SQLite driver is not installed in Postgres-only deployments. MovedEmDashDatabaseErrorinto a new SQLite driver-freedatabase/errors.tsand re-exported it from there, so thebetter-sqlite3import doesn't leak into the Postgres build. -
#985
5456514Thanks @ppppangu! - Fixes public form embeds during SSR by allowing frontend plugin components to call public plugin routes without self-fetching. -
#1157
7554bd3Thanks @jp-knj! - Fix scheduled posts not appearing on SQLite/D1 until UTC midnight. -
#1196
e9877e1Thanks @Rimander! - Fix WordPress import leavingfeatured_image(and other image/file fields) pointing at the original WordPress URL after media download. The rewrite step passed the whole stored MediaValue JSON to the URL matcher instead of its innersrc, so the field was never rewritten to the local R2 URL even though the file existed in the media table. Inline content images were unaffected. -
Updated dependencies [
62619c2,3d540da,b89e988,4612749,60c0b2e,1a4918f,d2f2679]:- @emdash-cms/admin@0.16.0
- @emdash-cms/registry-client@0.3.0
- @emdash-cms/auth@0.16.0
- @emdash-cms/gutenberg-to-portable-text@0.16.0
0.15.0
Minor Changes
-
#426
02ed8baThanks @BenjaminPrice! - Adds workerd-based plugin sandboxing for Node.js deployments.- emdash: Adds
isHealthy()toSandboxRunnerinterface,SandboxUnavailableErrorclass,sandbox: falseconfig option,mediaStoragefield onSandboxOptions, and exportscreateHttpAccess/createUnrestrictedHttpAccess/PluginStorageRepository/UserRepository/OptionsRepositoryfor platform adapters. - @emdash-cms/cloudflare: Implements
isHealthy()onCloudflareSandboxRunner. FixesstorageQuery()andstorageCount()to honorwhere,orderBy, andcursoroptions (previously ignored, causing infinite pagination loops and incorrect filtered counts). AddsstorageConfigtoPluginBridgePropssoPluginStorageRepositorycan use declared indexes. - @emdash-cms/sandbox-workerd: New package.
WorkerdSandboxRunnerfor production (workerd child process + capnp config + authenticated HTTP backing service) andMiniflareDevRunnerfor development.
- emdash: Adds
-
#1146
11b3001Thanks @MohamedH1998! - Adds first-class i18n support for bylines, mirroring the row-per-locale model already used by menus and taxonomies (PR #916, migrations 036).Schema (migration 040)
_emdash_bylinesgains two columns:locale—TEXT NOT NULL DEFAULT 'en'. Every row now belongs to exactly one locale.translation_group—TEXT NOT NULL. Shared across every locale variant of a single byline identity. The anchor row'stranslation_groupequals itsid; siblings inherit it.
A partial unique index
idx_bylines_group_locale_uniqueenforces one row per(translation_group, locale). The pre-existing(slug)unique index becomes(slug, locale)to allow the same slug across locales.Existing rows are backfilled to the configured
defaultLocale(or'en'if i18n isn't configured) withtranslation_group = id. Monolingual sites see no functional change; multilingual sites continue rendering the same byline data at the default locale until editors create translations.Credit hydration: strict per-locale
_emdash_content_bylines.byline_idnow stores the byline'stranslation_group, not its row id. When an entry is rendered, credits are filtered by joining the junction against the byline sibling whoselocalematches the entry'slocale. If no sibling exists at the entry's locale, the credit hydrates as empty — there is no fallback to other locales' bios.Author-inferred bylines (where an entry has no explicit credits but its author is linked to a byline) still fall back per-locale and respect the strictness gate: an entry with explicit credits at any locale will not infer from the author even if the explicit credits don't resolve at the rendering locale.
This is a deliberate behavior change for multilingual sites. The motivation is correctness: chain-walking credits across locales renders the wrong-language bio on translated entries.
The "explicit credit suppresses author fallback" check reads
primary_byline_iddirectly from the content row — set bysetContentBylinesiff junction rows exist, backfilled by migration 040 for pre-existing rows. No separate probe against_emdash_content_bylinesis needed at hydration time; the column is folded into the single per-entry context fetch (author_id+primary_byline_idin one query). Both monolingual and multilingual sites get the same query count.Identity lookups: chain-walk
getBylineBySlug(slug, { locale })walks the configured fallback chain (resolveLocaleChain), likegetMenuandgetTerm. Author pages for un-translated bylines still render an identity rather than 404'ing. This is conceptually distinct from credit hydration and runs throughrequestCachedfor per-render dedupe.Admin
- TranslationsPanel in the bylines editor lists every configured locale with Edit / Translate buttons. The Translate action POSTs to the new
POST /_emdash/api/admin/bylines/:id/translationsendpoint. - LocaleSwitcher on
/bylinesfilters the list strictly to one locale. Cross-locale navigation via TranslationsPanel routes through/bylines?locale=…. - The byline picker on the content editor is locale-pinned to the entry's locale. Editors only see bylines that will actually hydrate at the entry's locale.
- The byline credit empty state on a locale with no bylines yet shows a CTA linking to
/bylines?locale=…for inline creation. - Translating an entry (
POST /content/:collectionwithtranslationOf) callscopyContentBylinesto inherit the source's credits — these resolve at the new entry's locale via the strict-hydration model, so credits "follow" the content across translations once sibling bylines exist.
API additions
GET /_emdash/api/admin/bylines/:id/translations— list every sibling row sharing a translation_group.POST /_emdash/api/admin/bylines/:id/translations— create a sibling at a target locale. Body defaults (slug, displayName, websiteUrl, avatar) inherit from the source.POST /_emdash/api/admin/bylinesacceptstranslationOf+localeto create a sibling in one call.GET /_emdash/api/admin/bylines?locale=…filters strictly.BylineSummarygainslocale: stringandtranslationGroup: string | null(additive — existing consumers ignore the new fields).
Permissions
Two new entries on
@emdash-cms/auth:bylines:read— minimumSUBSCRIBER.bylines:manage— minimumEDITOR.
All byline routes (list, get, update, delete, translations) now check these instead of
content:read/Role.EDITOR. Role thresholds are unchanged, so existing users see no permission differences. Custom RBAC configurations that bind to the old strings should add the new permission names.Repository
BylineRepositoryis strict per-locale:findMany,findBySlug,findByIdaccept an optionallocaleand return rows matching that locale (or all locales when omitted, for the manager view).- New methods:
listTranslations(id),findByTranslationGroup(group),copyContentBylines(collection, fromId, toId). setContentBylinesdeduplicates bytranslation_groupafter resolving wire row ids, so passing two sibling row ids of the same identity collapses to one credit row.deleteis sibling-aware: removing one locale variant leaves siblings standing.
Notable trade-offs
- Strict hydration over chain-walking for credits. Chain-walking would render mismatched-language bios on translated content. The honest answer is to show nothing rather than the wrong thing; the picker tells editors which bylines will resolve at the entry's locale, and the empty-state CTA makes creating a sibling a one-click flow.
- Schema is row-per-locale, not a separate
byline_translationsside-table. Matches the existing content / menu / taxonomy convention so query patterns and indexes are consistent across the codebase.
-
#1176
fae97eeThanks @ascorbic! - Code blocks in the rich text editor now have an inline language picker. Hover over any code block to reveal a chip in the corner; click it to enter a language (free-form input with curated suggestions for ~30 common languages including TypeScript, Python, Bash, Rust, Astro, SQL, and more). Aliases resolve automatically -- typingtsstorestypescript,c++storescpp, etc. The existing markdown shortcut (typing```htmlfollowed by a space or Enter) continues to pre-populate the language. The chosen language persists on the Portable Textlanguagefield and is emitted as alanguage-{id}class on the rendered<pre>so frontend syntax highlighters can pick it up. The visual (in-place) editor gets the same picker UI. -
#1114
9a30607Thanks @ascorbic! - Plugins installed from the experimental registry can now be uninstalled and updated from the admin, the same way marketplace plugins always could. The "uninstall is not yet available for registry plugins" placeholder is gone — registry plugin rows now show the same Uninstall and Update buttons.The Plugins page's "updates available" indicator now covers registry plugins too. If the registry aggregator is unreachable, marketplace updates still load (and vice versa).
Updates that need newly-declared permissions, or that newly expose a public (unauthenticated) route, prompt for re-consent before installing the new version — matching the gate that marketplace updates already have.
-
#1125
d0ff94bThanks @ascorbic! - Adds a version picker to the registry plugin detail page. Older releases of a registry-hosted plugin are now selectable from a dropdown next to the Install button, and the displayed version, indexed date, permissions, and source link swap to match the selected release. Pre-release versions (e.g.1.0.0-alpha.1) are flagged with a "Pre-release" badge so admins can spot them before installing. Versions still inside the configured minimum-release-age holdback remain visible in the dropdown but stay non-installable until they age into the window.
Patch Changes
-
#1139
88f544dThanks @ask-bonk! - Upgradeskyselyto^0.29.0(was^0.27.0) to resolve three high-severity advisories fixed in>=0.28.17:- GHSA-wmrf-hv6w-mr66 – SQL injection via unsanitized JSON path keys
- GHSA-pv5w-4p9q-p3v2 – JSON-path traversal injection via
JSONPathBuilder.key()/.at() - GHSA-8cpq-38p9-67gx – MySQL SQL injection via
sql.lit(string)
Also updates import paths for
MigratorandMigrationtypes tokysely/migrationto comply with kysely 0.29 export changes. -
Updated dependencies [
cf3c706,b9cc08e,11b3001,fae97ee,88f544d,393dd26,9a30607,d0ff94b]:- @emdash-cms/registry-client@0.2.0
- @emdash-cms/admin@0.15.0
- @emdash-cms/auth-atproto@0.2.8
- @emdash-cms/auth@0.15.0
- @emdash-cms/gutenberg-to-portable-text@0.15.0
0.14.0
Patch Changes
-
#1100
f753dbaThanks @jcheese1! - Resolve bare local media IDs in media fields before falling back to external URLs. -
#1101
e539731Thanks @ascorbic! - Fixes experimental registry navigation and allows the configured registry aggregator through the admin CSP. -
#1112
3756168Thanks @ascorbic! - Validates aggregator responses at the read-side trust boundary inDiscoveryClient. Two layers run:- Response envelope (
uri,cid,did,slug,version, …):DiscoveryClientnow routes every call through@atcute/client's schema-validating.call()against the aggregator method's output lexicon. Request params are validated too. A non-conforming envelope throwsClientValidationError. - Embedded signed
profile/releaserecords (typedunknownby the aggregator lexicon because they are relayed verbatim from publisher repos under a different lexicon namespace): nowsafeParse'd againstcom.emdashcms.experimental.package.profile/release. A conforming record is returned as the typed lexicon shape; a non-conforming one is surfaced asnullso one bad record doesn't fail an entire search page.
Refines the return types from
unknowntoPackageProfile.Main | null/PackageRelease.Main | null(new exportedValidatedPackageView/ValidatedReleaseView/ValidatedSearchPackages/ValidatedListReleasestypes). Callers must null-check. The registry install handler now fails closed when the aggregator returns a release record that does not conform to its lexicon.Validation is structural only — the lexicon's
uriformat permits non-HTTP schemes, so UI rendering these URLs still applies its own scheme allow-list. - Response envelope (
-
Updated dependencies [
cf85941,3756168,3756168]:- @emdash-cms/admin@0.14.0
- @emdash-cms/registry-client@0.1.0
- @emdash-cms/auth@0.14.0
- @emdash-cms/gutenberg-to-portable-text@0.14.0
- @emdash-cms/auth-atproto@0.2.7
0.13.0
Minor Changes
-
#1057
c0ce915Thanks @ascorbic! - BREAKING (plugin authors): Reworks how sandboxed plugins are defined. ThedefinePlugin()helper is removed for sandboxed-format plugins; the new shape is a bare default export with asatisfies SandboxedPluginannotation. A new type-only subpathemdash/pluginprovides the types.This affects anyone writing a sandboxed plugin. Sites that use plugins are unaffected (see the per-plugin changesets for the import-shape change in published plugins).
- import { definePlugin, type ContentHookEvent, type PluginContext } from "emdash"; + import type { SandboxedPlugin } from "emdash/plugin"; - export default definePlugin({ + export default { hooks: { "content:beforeSave": { - handler: async (event: ContentHookEvent, ctx: PluginContext) => { + handler: async (event, ctx) => { // ... return event.content; }, }, }, - }); + } satisfies SandboxedPlugin;Three changes:
- Drop
import { definePlugin } from "emdash"and thedefinePlugin(...)wrapping call. Sandboxed plugins now default-export the bare object. import type { SandboxedPlugin } from "emdash/plugin"and addsatisfies SandboxedPluginto the default export. Theemdash/pluginsubpath is type-only — the bundler erases the import, so no runtime resolution ofemdashis needed (and the heavyemdashruntime no longer enters the plugin bundle).- Drop handler parameter annotations like
event: ContentSaveEvent, ctx: PluginContext. The strict mapped type onSandboxedPlugininfers them per hook name, with the full canonical event type. If you need to reference an event type by name (e.g. in a helper function),emdash/pluginre-exports them:import type { ContentHookEvent, PluginContext } from "emdash/plugin".
Why: the old
definePluginwas an identity function whose only job was to aliasemdashto a Proxy shim at build time so the import would resolve. With the new shape, sandboxed plugins have no runtimeemdashimport — only type-only imports fromemdash/plugin. The bundler doesn't need to alias anything; the build pipeline is simpler; and authors get strict per-hook event/return type inference for free.The trade-off: previously you could narrow an event type locally (e.g.
interface ContentSaveEvent { content: ... & { id: string } }). Under the strict mapped type, the canonical event type wins (TypeScript's contravariance on function parameters means narrowing isn't assignable). Authors validate fields at runtime withtypeof/isRecordchecks instead — which is the right pattern for input that comes from outside the type system anyway.Routes follow the same simplification. The two-arg
(routeCtx, ctx)shape is unchanged; only the annotations disappear:export default { routes: { health: async (routeCtx, ctx) => { // routeCtx: SandboxedRouteContext, ctx: PluginContext — both inferred. return new Response("ok"); }, }, } satisfies SandboxedPlugin;SandboxedRouteContextexposes{ input, request, requestMeta? }.requestis typed asSandboxedRequest— a{ url, method, headers }record that's portable across in-process and isolate execution (Worker Loader can't pass realRequestobjects across the boundary).Native plugins are unaffected. This change applies only to sandboxed-format plugins. Native plugins continue to use
definePlugin()fromemdashand the existingPluginDefinitionshape.Type rename:
SandboxedPluginon theemdashpackage now refers to the new author-facing source-shape type. The runtime-side handle type (returned bySandboxRunner.load, held in the runtime's plugin cache) is renamed toSandboxedPluginInstance. If you importSandboxedPluginfromemdashto type a sandbox runner implementation or hold runtime plugin handles, update those imports toSandboxedPluginInstance. Public consumers of this type are mostly limited to@emdash-cms/cloudflareand other sandbox runner adapters; standard plugin / site code is unaffected.Removed types:
StandardPluginDefinition,StandardHookHandler,StandardHookEntry,StandardRouteHandler,StandardRouteEntryare no longer exported fromemdash. These were authoring-helper aliases under the old permissivedefinePluginstandard overload. UseSandboxedPluginfromemdash/pluginfor the same purpose under the new shape.Removed function:
isStandardPluginDefinitionis gone. There's no equivalent — sandboxed plugins are identified by structure ({ hooks?, routes? }) and you should treat the default export as already typed viasatisfies SandboxedPlugin. - Drop
-
#1052
0d5843fThanks @Rimander! - Fixes menu REST API consistency:POST /menus/:name/itemsno longer accepts unknown keys silently. Sendingcustom_url(snake_case) orurlused to return 201 withcustom_url: nullbecause Zod's default.strip()quietly dropped them. The schemas now use.strict()and return 400VALIDATION_ERRORwithUnrecognized key: "custom_url". The documented camelCase keys (customUrl,sortOrder,referenceCollection, etc.) are unchanged and persist as before. Thetypefield is now validated against the canonical enum ("custom" | "page" | "post" | "taxonomy" | "collection"); previously any string passed.- Moves per-item writes to
PUTandDELETE /menus/:name/items/:id(path-style). Every other EmDash resource (content,taxonomies,redirects,sections,widget-areas) addresses items by URL path; menus were the lone outlier requiring?id=<id>in the query string. The legacy query-string form is removed (it was undocumented and only used by the admin, which is updated in this PR). Callers should usePUT /menus/:name/items/:id/DELETE /menus/:name/items/:id. - Menu and menu-item API responses are now camelCase, aligning with the rest of EmDash's REST surface (
content,taxonomies,redirects, …).created_at→createdAt,updated_at→updatedAt,menu_id→menuId,parent_id→parentId,sort_order→sortOrder,reference_collection→referenceCollection,reference_id→referenceId,custom_url→customUrl,title_attr→titleAttr,css_classes→cssClasses,translation_group→translationGroup. Breaking for direct REST consumers that depend on snake_case keys in the response body. The admin UI is already updated. - Refactors menus to the standard repository pattern. Adds
MenuRepositorynext toContentRepository,TaxonomyRepository,RedirectRepository,MediaRepository,CommentRepository. Handlers become thin orchestrators; the repository is now the single place where snake_case rows become camelCase entities.
These changes do not touch any database schema or migration. Existing data is preserved.
-
#1011
dbaea9cThanks @ascorbic! - Adds experimental support for the decentralized plugin registry (see RFC #694). Configure withexperimental.registry.aggregatorUrlinastro.config.mjs; the admin UI then uses the registry instead of the centralized marketplace for browse and install. Marketplace behavior is unchanged when the option is not set.The experimental config accepts a
policy.minimumReleaseAgeduration (e.g."48h") that holds back releases below that age from install and update prompts, with apolicy.minimumReleaseAgeExcludeallowlist for trusted publishers or specific packages. The minimum-release-age check is enforced both client-side (for UX) and server-side (in the install endpoint), so stale browser tabs and deep links still hit the gate.
Patch Changes
-
#1076
6e62b90Thanks @ascorbic! - Fixes spurious TypeScript errors in strict projects that consume EmDash. Several subpaths (emdash/routes/*,emdash/api/route-utils,emdash/api/schemas,emdash/auth/providers/github,emdash/auth/providers/google) previously shipped raw source, so yourtscand editor type-checked EmDash's internals against your config and could report errors that weren't yours. These now ship compiled type declarations instead. The*-adminproviders andemdash/uistay source because they bridge the admin React/Astro runtime your own build processes. Import paths and runtime behaviour are unchanged. -
#1086
23597d0Thanks @ascorbic! - Fixes silent data loss in migration 036 on Cloudflare D1 (#1021). D1 ignoresPRAGMA foreign_keys = OFFand its replacementdefer_foreign_keysonly defers constraint validation, it doesn't suppress CASCADE actions, so dropping any table during the i18n rebuild fired its child cascades. Three FK relationships were affected:content_taxonomies.taxonomy_id -> taxonomies(id) ON DELETE CASCADEwiped all post-taxonomy associations.taxonomies.parent_id -> taxonomies(id) ON DELETE SET NULLflattened taxonomy hierarchies._emdash_menu_items.menu_id -> _emdash_menus(id) ON DELETE CASCADEwiped every menu item on the install (along withparent_id -> _emdash_menu_items(id) ON DELETE CASCADEmopping up nested items).
The migration now physically removes those FK relationships before any drop.
content_taxonomiesand_emdash_menu_itemsare rebuilt without their parent FKs as the first steps of up(), and the newtaxonomiesself-FK targets its temporary name (taxonomies_new) which SQLite rebinds on RENAME. The FKs from migration 005 on_emdash_menu_itemsare not restored on rollback either: the runtime always deleted child rows explicitly, so the cascade was redundant and reinstating it would only re-create the #1021 hazard on any future migration that drops_emdash_menus. Rollback also refuses to run whencontent_taxonomieshas rows referencing translation groups with no survivingtaxonomiesrow, surfacing dangling data before any destructive work, and theidx_content_taxonomies_termindex from migration 015 is restored after each rebuild.This is forward-fix only. Installs that already lost data when running 036 will need to restore from D1 Time Travel.
-
#1088
883b75bThanks @MA2153! - FixesEmDashClient.terms()returning{ terms }instead of{ items }, which causedpage.itemsto beundefinedfor any caller that iterated the result. The API handler returns{ terms: TermWithCount[] }but the client was typed and advertised asListResult<Term>— the key name mismatch is now mapped correctly. -
#751
05440b1Thanks @edrpls! - Fix the admin collection list pagination denominator so it no longer grows in increments of 5 as the user pages forward.The
GET /_emdash/api/content/{collection}response now includes atotalfield with the full filtered row count (independent oflimit). The admin uses it as the pagination denominator, so a 143-entry collection reads1/8on page 1 instead of1/5 → 5/10 → 10/15 → …as successive API pages load.The
totalfield is optional; pre-upgrade clients that ignore it still work, and the admin falls back to the loaded-item count when an older server doesn't return it.Also handles the edge case where the current page exceeds
totalPagesafter filtering or deletion — the admin clamps the active page so the table doesn't render empty while waiting for a refetch. -
#1000
94fb50bThanks @ask-bonk! - Fixes invite passkey registration behind a TLS-terminating reverse proxy. The inviteregister-optionsendpoint now resolves the public origin viagetPublicOrigin(url, emdash.config)before callinggetPasskeyConfig, matching every other passkey endpoint. Previously the WebAuthn RP ID fell back tourl.hostname(e.g.localhost), causing the browser to reject the registration with "Security error" when the public origin differed from the upstream host. -
#1013
0cd8c6dThanks @ascorbic! - Fixes the slash command menu's initial selection getting overridden when the menu opens under a stationary pointer. The menu items previously reacted tomouseenterunconditionally, so an item rendered beneath the cursor would steal selection from the keyboard default before any user interaction. Mouse-hover-selects still works, but only after the user actually moves the pointer over the menu. -
#1087
878a0b6Thanks @ascorbic! - Fixes two data-loss bugs in the WordPress WXR import path (admin UI Settings, Import, WordPress, i.e.POST /_emdash/api/import/wordpress/execute).Per-post taxonomy assignments parsed from
<wp:category>,<wp:tag>,<wp:term>, and per-item<category domain="...">blocks (#1061) are now persisted. The HTTP execute handler previously extracted this data and silently discarded it before any taxonomy or pivot rows were written. Terms are created idempotently in EmDash's seededcategoryandtagtaxonomies; custom taxonomies such asgenreare matched against existing EmDash definitions via the runtime's locale fallback chain (resolveLocaleChain), so imports against a non-default-locale site reuse defs seeded at the default locale instead of false-failing. Unknown custom taxonomies surface in a newresult.taxonomies.missingTaxonomiesfield instead of being silently dropped, so the admin can prompt the user to create the missing definition. Assignments respect each taxonomy definition'scollectionsarray.WPML and Polylang translations (#1080) are now imported under their own per-post locale and linked via
translation_group. Previously the entire upload shared oneconfig.localeand the second post of any translation pair was rejected by theUNIQUE(slug, locale)constraint introduced in migration 019. The parser promotes per-post locale from_icl_lang_code(WPML),trid(WPML's translation group id),_locale(Polylang), thelanguagetaxonomy, or_translationspostmeta. Terms are mirrored into each translation's locale so per-locale lookups (getTermsForEntry(..., locale)) resolve correctly on every translation row. Per-translation taxonomy assignments override anchor-inherited ones per-taxonomy when the translator picked different terms, matching WPML "Translate Independently" mode. Taxonomies the translation did not touch keep their inherited assignments, matching WPML "Sync" mode and Polylang's default.Adds
result.taxonomiesto the import response (additive). Existing consumers continue to work unchanged.Scope note: this fixes the HTTP import path, which is what the admin UI calls. The standalone
emdash import wordpressCLI command writes JSON files to disk and has its own slug-only output path that does not carry locale, so it can still clobber two translations with the samepost_name. That is a separate fix and not addressed here. -
#768
121f173Thanks @ask-bonk! - FixesSQLITE_CORRUPT_VTAB(database disk image is malformed) when editing or publishing content on collections that have search enabled, and on restore-from-trash, permanent-delete, and edit-while-trashed flows.The FTS5 sync triggers used the contentless-table form (
DELETE FROM fts WHERE rowid = OLD.rowid) on what is actually an external-content FTS5 table. After an UPDATE onec_<collection>, FTS5 then read NEW column values from the (already updated) content table while trying to remove OLD tokens from the inverted index, drifting the index out of sync until SQLite refused further reads. Rewrites the triggers to use the documented external-content-safeINSERT INTO fts(fts, rowid, ...) VALUES('delete', OLD.rowid, OLD.col1, ...)pattern, gated onOLD.deleted_at IS NULLso we don't try to remove rows that were never indexed (which would itself raiseSQLITE_CORRUPT_VTABon restore-from-trash and permanent-delete).Adds migration
039_fix_fts5_triggersthat rebuilds the FTS index for every search-enabled collection on upgrade, replacing the broken triggers and recovering from any latent index corruption left behind by earlier mutations. The migration runs once at startup before the first request can hit the affected paths, so upgrading sites get the fix on their next deploy without depending on a search-endpoint visit to trigger lazy auto-repair. -
#1077
f4a9711Thanks @ascorbic! - FixesAstro.locals.emdashtyping. The shipped type declaration referenced a build artifact that does not exist, solocals.emdashsilently fell back toanyin every EmDash site — losing autocomplete and type-checking on the handlers API in your pages and endpoints. It is now correctly typed asEmDashHandlers. -
#1019
5681eb2Thanks @ascorbic! - Fixes a Zod type-incompatibility between trusted plugins and core. Without a workspace-level pin, emdash'szod: ^4.3.5could resolve to a different patch than Astro's bundled Zod, and Zod 4 embeds the version in the type — so schemas imported viaastro/zodin trusted plugins (e.g.@emdash-cms/plugin-forms) were not assignable todefinePlugin'sPluginRoute<TInput>['input']. Pins Zod in the pnpm catalog so the entire workspace dedupes on one instance. -
#1074
ed917d9Thanks @ascorbic! - Fixes stored config sharing when the runtime module is loaded as both compileddistand rawsrcin the same process (Vite SSR / dual-package). The integration config is now keyed on a globalSymbol.forregistry entry instead of a typedglobalThisvar, matching the existing isolate-singleton pattern, sogetStoredConfig()resolves consistently across both module copies. -
#1076
6e62b90Thanks @ascorbic! - Fixes a type error in the shipped WordPress-plugin import source: the analyze-endpoint error body fromresponse.json()isunknownunder@cloudflare/workers-typesand was read without narrowing. This file ships as raw source via theemdash/routes/*export, so the error surfaced in strict consumer typechecks (issue #1053). The body is now typed before.messageis read; runtime behaviour is unchanged. -
Updated dependencies [
05440b1,484e7ab,0d5843f,0cd8c6d,d014b48,dbaea9c,5681eb2]:- @emdash-cms/admin@0.13.0
- @emdash-cms/auth@0.13.0
- @emdash-cms/auth-atproto@0.2.6
- @emdash-cms/gutenberg-to-portable-text@0.13.0
0.12.0
Minor Changes
-
#997
7b45cbaThanks @ascorbic! - Adds support for a site-wide default Open Graph image. The setting is exposed in the admin SEO settings page (Settings -> SEO -> Default Social Image), resolved to a URL on read bygetSiteSettings(), and automatically emitted asog:image/twitter:image(and BlogPosting JSON-LDimage) byEmDashHead.astrowhenever a page has no image of its own. Per-page images still take precedence.This wires up an existing data model that was previously defined in the schema and MCP tools but never used: stored values were not resolved and no template path read the setting.
Emitted URLs are absolutized using
SiteSettings.url, the page'ssiteUrl, or the request origin so crawlers and JSON-LD consumers that reject relative URLs work correctly.Also adds a
localOnlyprop toMediaPickerModalthat suppresses the "Insert from URL" input and external provider tabs. Used by SEO settings to ensure the picker only returns locally-stored media (since the setting only persists a localmediaId).Media metadata updates and deletes now invalidate the worker-scoped site-settings cache, so resolved logo/favicon/default-social-image URLs and dimensions stay in sync with the underlying media row.
Patch Changes
-
#1004
35791ffThanks @ascorbic! - Fixes a stale ref race in the slash command menu's keyboard handlers. The state ref was synced viauseEffect(post-commit), so TipTap's Suggestion plugin could read stale state when invokingonKeyDownsynchronously -- causing Enter to occasionally fail to execute commands and arrow navigation to skip selections on slower runs. -
Updated dependencies [
19576be,35791ff,7b45cba]:- @emdash-cms/admin@0.12.0
- @emdash-cms/auth@0.12.0
- @emdash-cms/gutenberg-to-portable-text@0.12.0
- @emdash-cms/auth-atproto@0.2.5
0.11.1
Patch Changes
-
#991
dc44989Thanks @ascorbic! - Fixes TypeError crash on all content mutation API routes when Astro's cache API is not available. Thecachecontext parameter is undefined when the cache feature is not enabled, causingcache.enabledto throw. All 11 call sites now use optional chaining (cache?.enabled). -
Updated dependencies []:
- @emdash-cms/admin@0.11.1
- @emdash-cms/auth@0.11.1
- @emdash-cms/gutenberg-to-portable-text@0.11.1
- @emdash-cms/auth-atproto@0.2.4
0.11.0
Minor Changes
-
#978
27e6d58Thanks @ascorbic! - Enforces the sandboxed plugin bundle size caps from RFC 0001 §"Bundle size limits" in both thebundleandpublishCLI flows: total decompressed ≤ 256 KB, per-file decompressed ≤ 128 KB, and at most 20 files per bundle. The previous bundle command capped only the total at 5 MB; the publish command now also re-validates the decompressed tarball before signing the release record so a publisher hits the same cap locally that aggregators enforce at ingest. Bundles between 256 KB and the old 5 MB ceiling will now be rejected — usually a sign the plugin is bundling host-provided dependencies or assets that belong in a CDN rather than the plugin payload. -
#942
7c536e5Thanks @MA2153! - Adds per-field allowed MIME types forfileandimagefields. Field-levelallowedTypesis now honored end-to-end: it filters the media picker, widens upload acceptance for that field (so e.g. a zip-only field can accept zip uploads even though the global allowlist excludes them), and validates referenced media against the destination field on content save. The schema editor in admin gains an "Allowed types" control with curated presets and freeform entry.Behavior change: the
imagebuilder'sallowedTypesoption was previously accepted but read by nothing. It is now load-bearing — a code-first schema that already passedallowedTypes(e.g.["image/png"]) will now actually narrow the picker and gate uploads. Most users will see no change; if you set this option intending the old (silent) behavior, drop it.Behavior change: updating a field via the admin schema editor now explicitly clears its validation when the form contains no validation settings, instead of leaving an existing
validationvalue intact. This only affects fields with pre-existing validation that is not expressible in the editor UI.
Patch Changes
-
#893
f8ee1edThanks @j-liszt! - Enhances Passkey authentication with polymorphic algorithm support. Adds support for RS256 (RSA) alongside the existing ES256 (ECDSA) implementation, ensuring full compatibility with Windows Hello, hardware security keys, and FIDO2 standards. Includes a database migration to track and persist credential algorithms for future-proof authentication.Note for standalone
@emdash-cms/authconsumers: If yourcredentialstable already exists, you must manually runALTER TABLE credentials ADD COLUMN algorithm INTEGER NOT NULL DEFAULT -7to support this update. TheDEFAULT -7value ensures that existing rows (which are all ES256) continue to work seamlessly without requiring any data backfill. -
#976
4c11017Thanks @ask-bonk! - Fixes migration016_api_tokensfailing withtable "_emdash_api_tokens" already existsafter a partially-applied previous attempt. Ifup()crashed mid-way (D1 subrequest limit, isolate cancellation, transient connection error), the migration record never got recorded and Kysely re-ran the migration from the top on the next request, blocking every subsequent boot.up()now usesIF NOT EXISTSon every CREATE so a retry skips already-applied steps and finishes the remainder. Resolves the "table already exists" error reported on fresh Cloudflare Workers + D1 deploys. -
#939
f1d4c0bThanks @schiste! - Make the MCP menu write tools locale-aware by exposinglocaleonmenu_create,menu_update,menu_delete, andmenu_set_items, exposingtranslationOfonmenu_create, and teachinghandleMenuSetItems()to target the requested locale and tag inserted menu items with that menu's locale.All seven menu-name lookups (
handleMenuUpdate,handleMenuDelete,handleMenuSetItems,handleMenuItemCreate,handleMenuItemUpdate,handleMenuItemDelete,handleMenuItemReorder) now fail loud with the newAMBIGUOUS_LOCALEerror code (HTTP 400) when called with anamethat exists in multiple locales and nolocaleis provided. Previously the lookup silently picked an arbitrary translation, which could rewrite or delete the wrong locale's menu on multi-locale installs. The error message lists the available locales so callers can recover. Single-locale installs and callers that already passlocaleare unaffected.The
translationOf→localerequirement is now enforced insidehandleMenuCreate(returnsVALIDATION_ERROR), so REST/SDK callers get the same guard the MCP boundary already provided. -
d273e9aThanks @ascorbic! - Refactors the plugin manifest types to re-export from@emdash-cms/plugin-types. The capability vocabulary (PluginCapability,CAPABILITY_RENAMES,normalizeCapability,isDeprecatedCapability) and manifest shape (ManifestHookEntry,ManifestRouteEntry,PluginStorageConfig,StorageCollectionConfig) now live in the shared package so the registry CLI can write the same types core reads. Existing imports fromemdash's plugin types module continue to work unchanged. -
#943
514d32dThanks @Rimander! - Fixes seed menu items losing theirtranslation_groupacross export/apply by adding optionalid,locale, andtranslationOffields toSeedMenuItem. The export emits stable seed IDs andtranslationOfreferences; the apply resolves them to the anchor'stranslation_group, matching the existing pattern for content entries, taxonomies, and terms. -
#948
8116949Thanks @ascorbic! - Adds always-ondb.*andcache.*Server-Timing fields so render-phase performance is diagnosable in production. Each request now emitsdb.total(cumulative DB ms),db.count(query count),db.first/db.last(first/last query offset from request start), andcache.hit/cache.miss(request-scoped cache stats). The Kysely log hook is now always installed so counters work without settingEMDASH_QUERY_LOG. -
#946
c4ee7adThanks @LeanderG! - Fixes Postgres rate-limit queries by quoting the reservedwindowcolumn name. -
Updated dependencies [
7f6b6ea,131bea6,f8ee1ed,54b5aa1,c630e31,7c536e5,7aa1897,943df46,0b8a319,13ff061,49b66d9,1b2fa77,530b013,af15975,a4968c1,f80fb58]:- @emdash-cms/admin@0.11.0
- @emdash-cms/auth@0.11.0
- @emdash-cms/plugin-types@0.0.1
- @emdash-cms/auth-atproto@0.2.3
- @emdash-cms/gutenberg-to-portable-text@0.11.0
0.10.0
Minor Changes
-
#916
71f4e7dThanks @Rimander! - Adds i18n support to menus and taxonomies (categories, tags, custom definitions), mirroring the per-locale model already in place for content. Each row carrieslocaleandtranslation_group; translations of the same menu/term/def share atranslation_group._emdash_menu_items.reference_idandcontent_taxonomies.taxonomy_idare remapped to store the referenced row's translation_group, so a single association survives content translations and is resolved against the active locale at runtime.- Runtime helpers (
getMenu,getTaxonomyTerms,getTerm,getEntryTerms,getAllTermsForEntries, …) accept an optional{ locale }and honour the i18n fallback chain; when no locale is given they fall back to the request context anddefaultLocale, matchinggetEmDashCollection/getEmDashEntry. - REST API: GET endpoints accept
?locale=xx; POST endpoints acceptlocaleandtranslationOfin their bodies. New endpoints:GET/POST /_emdash/api/menus/:name/translationsandGET/POST /_emdash/api/taxonomies/:name/terms/:slug/translations. - Creating a content translation now auto-copies the source's taxonomy assignments (the pivot is locale-agnostic, so the copied rows apply to the whole translation group).
- MCP:
taxonomy_list,taxonomy_list_terms,taxonomy_create_term,menu_list,menu_getacceptlocale. New tools:taxonomy_term_translations,menu_translations. - Admin:
TaxonomyManagerandMenuListsurface aLocaleSwitcherwhen multiple locales are configured and thread the active locale through all API calls.TaxonomyManagerexposes a "Translate" action per term that creates the translation and switches to the new locale.
No breaking changes for new installs or single-locale upgrades — defaults are additive (locale defaults to
'en'when omitted, reproducing pre-i18n behaviour).⚠️ Rolling back migration
036_i18n_menus_and_taxonomiesis blocked on multi-locale installs. Dropping thelocalecolumn would collapse translated rows onto an ambiguous(name, slug)unique key, silently deleting content. The migration'sdown()now refuses to run when any row uses a non-default locale and prints the affected table in the error. If you need to revert, export translations first (or delete them), then re-run the rollback. Single-locale installs revert cleanly. - Runtime helpers (
-
#902
7e32092Thanks @ascorbic! -emdash plugin initnow prompts for the plugin format (sandboxed or native) when run interactively, and the scaffolded boilerplate matches the canonical patterns from the docs. Both formats now ship adist/build via tsdown, declare a samplestoragecollection, and demonstrate a hook plus an API route. The sandboxed entry uses an explicitly typedContentSaveEvent; the native entry forwards options throughcreatePlugin. The descriptoridis now derived from the slug instead of the full scoped package name, so scoped names like@org/my-pluginproduce a runtime-valid id. Pass--format=sandboxed,--format=native, or--nativeto skip the prompt; non-TTY runs continue to default to sandboxed.
Patch Changes
-
#701
a2d3658Thanks @lsngmin! - Fixes MediaValue.src returning bare media ID instead of a usable URL for local media -
#912
c8a3a2cThanks @lsngmin! - Permanent-delete API now refuses to remove live (non-trashed) rows and uses a content-domaincontent:delete_permanentpermission instead of the unrelatedimport:execute. Existing audience (ADMIN-only) is unchanged. -
#896
699e1b3Thanks @cristianuibar! - Fixes 500 error onGET /_emdash/api/dashboardwhen running on Cloudflare D1 with many title-bearing collections.fetchRecentItemsnow issues one query per collection in parallel and merges results in JS instead of building a single chainedUNION ALL, which trips D1'sSQLITE_LIMIT_COMPOUND_SELECTcap once enough collections are present (#895). -
#719
2e2b8e9Thanks @ascorbic! - Fixes thefilefield type rendering as a plain text input in the content editor. Adds aFileFieldRendererthat opens the media picker (with mime filter disabled) so any file type can be attached. Also adds ahideUrlInputprop toMediaPickerModalso non-image pickers can hide the image-specific "Insert from URL" input.Aligns the Zod schema and generated TypeScript types for
imageandfilefields with the shape the admin actually stores:provider?,meta?(for both), andpreviewUrl?(for image). Previously these fields were stripped on validation and missing from generated types, so site code could not reliably resolve local media URLs frommeta.storageKey. -
#911
9146931Thanks @masonjames! - Fixes WordPress media URL rewriting for imported image URLs that use generated size suffixes. -
Updated dependencies [
c8a3a2c,2e2b8e9]:- @emdash-cms/auth@0.10.0
- @emdash-cms/admin@0.10.0
- @emdash-cms/auth-atproto@0.2.2
- @emdash-cms/gutenberg-to-portable-text@0.10.0
0.9.0
Minor Changes
-
#884
e2b3c6cThanks @ascorbic! - Removes the worker-isolate manifest cache and stops loading the manifest on public requests.The admin manifest (collection schemas, plugins, taxonomies) is built fresh from the live database on every admin request via constant-shape queries (
SchemaRegistry.listCollectionsWithFields()— one collection query plus one batched field query, chunked at the D1 bound-parameter limit; two queries in practice for typical sites), deduplicated within a single request byrequestCached. Logged-out / public requests no longer touch it at all — the global middleware no longer pre-loadslocals.emdashManifest. Admin routes that need it callawait emdash.getManifest().This closes the cross-isolate staleness bug class behind #776, #873, #876, and #877 by elimination: there is no cache to invalidate, so there is nothing to fan out across warm sibling isolates on Cloudflare Workers, and there is nothing to leave stale after a fire-and-forget delete is cancelled at response-time.
Breaking changes
locals.emdash.invalidateManifestis removed. The shim that survived earlier was a misnomer once the manifest cache itself was gone. Plugin code that called this after schema changes should switch tolocals.emdash.invalidateUrlPatternCache(the only side effect that survived) — or drop the call entirely if the mutation didn't affect collection URL patterns (field/taxonomy/plugin mutations don't).locals.emdashManifestis removed. Read it viaawait locals.emdash.getManifest()instead. The only in-tree consumers were the admin manifest endpoint and the WordPress importer routes, both updated.EmDashRuntime.invalidateManifest()is removed.EmDashRuntime.getManifest()is preserved with the same signature; its body now skips the cache layer.
Performance
The admin manifest build is now O(1) query shapes (one for collections, one batched query for the fields of every returned collection, chunked at the D1 bound-parameter limit) instead of N+1. This is the cost the cache was hiding; the rebuild is cheap enough to run per request.
-
#731
9dfc65cThanks @drudge! - Adds amedia_pickerBlock Kit element: a thumbnail preview with a modal library picker and mime-type filter. Usable in plugin block forms and in Block Kit field widgets. The stored value is the selected asset's URL string, so it is value-compatible with a plaintext_input— existing content continues to work after swapping. Themime_type_filteris restricted to image MIME types (image/orimage/<subtype>); wildcards and non-image types are rejected. -
#809
e7df21fThanks @ascorbic! - Adds an optionalcategoryfield toPortableTextBlockConfigfor plugin-contributed block types. Plugins can now choose how their blocks are grouped in the admin slash menu (e.g. "Sections", "Marketing", "Media", "Layout") instead of always falling under "Embeds". Existing plugins that omit the field continue to render under "Embeds" exactly as before. -
#890
8ae227cThanks @ascorbic! - AddspublishedAttocontent_publish(MCP and REST) and exposesseo,bylines, andpublishedAton the MCPcontent_updatetool.content_publishnow accepts an optional ISO 8601publishedAtto backdate a publish, which is useful when migrating content from another CMS or correcting a historical publish date. The override requires thecontent:publish_anypermission. Without it, the existingpublished_atis preserved on re-publish (idempotent) and falls back to the current time on first publish.The MCP
content_updatetool previously droppedseo,bylines, andpublishedAteven though the underlying handler accepted them. Callers had to fall back to raw SQL against_emdash_seoand_emdash_content_bylinesto set these fields. They now flow through the MCP tool and are persisted in the same transaction as field updates. SettingpublishedAtrequirescontent:publish_any, mirroring the REST PUT route. Closes #621 and #622. -
#800
e2d5d16Thanks @csfalcao! - Adds support for accepting passkey assertions from multiple origins that share anrpId, for deployments reachable under several hostnames (apex + preview/staging) under one registrable parent. Declare additional origins viaEmDashConfig.allowedOrigins(inastro.config.mjs) or theEMDASH_ALLOWED_ORIGINSenv var (comma-separated); the two sources merge at runtime. EmDash validates the merged set againstsiteUrland rejects dead config (non-subdomain entries, IP-literalsiteUrl, trailing dots, empty labels) with source-attributed errors.PasskeyConfig.origin: stringis replaced byPasskeyConfig.origins: string[]. -
#837
e81aa0fThanks @netogregorio! - Make the preview URL pattern locale-aware.getPreviewUrl()now accepts a{locale}placeholder and alocaleoption (empty string collapses adjacent slashes so default-locale entries onprefixDefaultLocale: falsesites stay unprefixed). ThePOST /_emdash/api/content/{collection}/{id}/preview-urlroute resolves the locale automatically from the entry and the site's i18n config, and reads a project-wide default pattern from the newEMDASH_PREVIEW_PATH_PATTERNenv var so the admin's "View on site" link can match locale-prefixed routes (e.g./{locale}/{id}). -
#811
cee403dThanks @ascorbic! - Adds a centralized secrets module andemdash secretsCLI command group. The preview HMAC secret and commenter-IP hash salt are now generated and persisted in the options table on first need, withEMDASH_PREVIEW_SECRETandEMDASH_IP_SALTas optional env overrides. This replaces the previous empty-string preview fallback (which silently disabled token verification) and the hardcoded"emdash-ip-salt"constant (which was correlatable across installs).Adds:
emdash secrets generate [--write <file> [--force]]— emits a freshEMDASH_ENCRYPTION_KEY(versionedemdash_enc_v1_<43 chars>format), optionally writes it to.dev.varsor.envidempotently.emdash secrets fingerprint <key>— prints the kid (8-char fingerprint) for a key without exposing its value.
Lays groundwork for plugin-secret encryption-at-rest in a follow-up.
Deprecates:
emdash auth secret— kept as a working alias that prints a stderr deprecation note. Will be removed in a future minor.EMDASH_AUTH_SECRETitself is now legacy: it's only consulted as a fallback IP-salt source for upgrade compatibility (so existing installs keep stable commenter-IP hashes). New installs don't need to set it.
API changes:
fingerprintKey()(exported fromemdash's config module) now validates its input and throwsEmDashSecretsErrorfor malformed or non-canonical keys, where it previously silently hashed any string. Callers that want the previous "fingerprint anything" behavior should hash the input themselves withcrypto.subtle.digest.
User-visible side effects on upgrade:
- Installs that hadn't set
EMDASH_PREVIEW_SECRETget a fresh random preview secret on first start, which invalidates any outstanding preview URLs (typically short-lived). - Installs that hadn't set
EMDASH_AUTH_SECRETget a fresh random IP salt, resetting active comment rate-limit windows once. - Installs that did set
EMDASH_AUTH_SECRETkeep the same IP salt via a legacy fallback, so existing rate-limit data carries over. - If you sign preview URLs from a separate process without access to the
EmDash database (e.g. a remote preview Worker), you must continue to
set
EMDASH_PREVIEW_SECRETin both processes. Processes that share the database converge on the same auto-generated value automatically; the env override is only needed when the verifying process can't read the options table.
-
#816
d4be24fThanks @ask-bonk! - Unifies plugin capability names under a single<resource>[.<sub-resource>]:<verb>[:<qualifier>]formula so capabilities read like RBAC permissions, separates hook-registration permissions from data-access ones for clearer audits, and replaces the overloaded:anyqualifier with the more conspicuous:unrestricted. Old names are still accepted with@deprecatedwarnings;emdash plugin bundleandemdash plugin validatewarn for each deprecated name andemdash plugin publishrefuses manifests that still use them.The Cloudflare sandbox bridge and HTTP fetch helper now enforce canonical names (
content:read,content:write,media:read,media:write,users:read,network:request,network:request:unrestricted). Manifests that still declare legacy names continue to work — the runner normalizes capabilities before passing them into the bridge, so installed plugins withread:contentresolve tocontent:readand reach the same code path.Old New read:contentcontent:readwrite:contentcontent:writeread:mediamedia:readwrite:mediamedia:writeread:usersusers:readnetwork:fetchnetwork:requestnetwork:fetch:anynetwork:request:unrestrictedemail:providehooks.email-transport:registeremail:intercepthooks.email-events:registerpage:injecthooks.page-fragments:registerExisting installs keep working — manifests are normalized at every external boundary and
diffCapabilitiesnormalizes both sides so version upgrades that only rename do not trigger a "capability changed" prompt. Deprecated names will be removed in the next minor.
Patch Changes
-
#858
e0dc6fbThanks @ask-bonk! - Adds CSS custom-property hooks to portable-text block defaults inImage,Embed,Gallery, andBreakso host sites can theme figcaptions and horizontal rules without overriding component CSS. Resolution order is--emdash-caption-color→--color-muted→#666for captions,--emdash-break-color→--color-border→#e0e0e0for the break line, and--emdash-break-dots-color→--color-muted→#999for break dots. Backward compatible: sites that don't define any of these variables get the previous hex defaults; sites that already expose the conventional--color-muted/--color-bordertokens (e.g. the blog template) now get correct dark-mode theming automatically. -
#838
c22fb3aThanks @ascorbic! - Removes a redundantSELECT id, author_idlookup that fired after every collection-list and entry fetch when computing the byline-fallback for entries without explicit credits. The column is already on the row data, so it is now read directly. Saves up to one round-trip per list query and two on post-detail routes (~30 fewer queries across the perf-fixture suite). -
#805
6a4e9b8Thanks @ascorbic! - Fixes data loss in the visual-editing inline editor for plugin-contributed Portable Text block types. Previously, custom blocks likemarketing.herolost every field exceptidwhen the page was opened in edit mode, and the next save persisted the loss. Blocks now round-trip losslessly and render as a read-only placeholder labelled with the block type. -
#702
0ee372aThanks @ilicfilip! - Adds@emdash-cms/plugin-field-kit— composable field widgets forjsonfields. Four widgets (object-form,list,grid,tags) are configured entirely through seedoptionsso site builders don't need to write React to get a usable editing UI. Widgets store clean JSON (no nesting, no mutation of shape), so removing the plugin leaves valid data in the database. See discussion #571 for background.Widens
FieldDescriptor.optionstoArray<{ value: string; label: string }> | Record<string, unknown>so plugin widgets can accept arbitrary widget config (not only enum choices). The array shape forselect/multiSelectcontinues to work unchanged. -
#861
22a16eeThanks @ask-bonk! - Fixes "Cannot find module 'kysely'" at runtime afterastro buildfollowed byastro previewornode dist/server/entry.mjson Node deployments using SQLite or libSQL (#741). The SQLite and libSQL dialect runtime modules used CJSrequire("kysely")andrequire("better-sqlite3"), ostensibly to defer loading at config time — though in practice these modules are only ever loaded at runtime viavirtual:emdash/dialect, so the deferral served no purpose. Vite preserved those literalrequire()calls in the bundled SSR chunks; under pnpm's strictnode_moduleslayout, Node's CJS resolver could not findkysely(a transitive dep ofemdash) from the user'sdist/server/chunks/directory. The dialect modules now use static imports — matching the existingdb/postgres.tsadapter — so Vite resolves the deps correctly at build time. -
#847
1e2b024Thanks @ascorbic! - Fixes site favicon injection so user-configured favicons render on the public site, including SVG favicons in Chromium browsers (#831).EmDashHeadnow emits a<link rel="icon">tag with the correcttypeattribute (e.g.image/svg+xml) sourced from the stored media's MIME type. The bundled templates and demos have been updated to drop their per-template favicon link in favour of the centralized injection; existing user sites that still emit their own<link rel="icon">continue to work because browsers tolerate the duplicate.MediaReferencenow carriesurl,contentType,width, andheightwhen resolved viaresolveMediaReference, so callers can emit correct head tags without a second round-trip to the media table. -
#851
81662e9Thanks @ask-bonk! - Fixes admin branding (logo, siteName, favicon) configured via the integration'sadminoption not being delivered to the React admin SPA. The/_emdash/api/manifestroute now reads admin branding from the per-request config plumbed through middleware (the same sourceadmin.astroalready used), instead of a build-time global that was never assigned. -
#857
2f22f57Thanks @ask-bonk! - Fixes a migration race on D1 where two concurrent Workers isolates could both try to apply the same migration, causing one to fail withUNIQUE constraint failed: _emdash_migrations.name. The losing isolate would throw before reaching auto-seed, leaving the manifest cache empty and the admin UI reporting collections as not found while the API reported them correctly.runMigrationsnow treats this specific error as benign, waits for the concurrent migrator to finish, and verifies the schema is fully migrated before returning success. Closes #762. -
#856
ef3f076Thanks @ask-bonk! - Fixesnpm installpeer dependency conflicts (#819) by removing@tanstack/react-queryand@tanstack/react-routerfrompeerDependencies. These libraries are internal implementation details of the bundled admin UI (@emdash-cms/admin) and consuming Astro apps don't import them directly. Listing them as peers ofemdashwas forcing every npm-based install to install and resolve them at the top level, which produced ERESOLVE errors and bloat. The admin package continues to declare them as its own runtime dependencies. -
#817
a9c29eaThanks @all3f0r1! - Fixes redirect middleware so 301/302 rules from_emdash_redirectsactually fire for unauthenticated visitors. Previously, the lookup was silently skipped on the public-visitor branch becauselocals.emdash.dbis intentionally omitted there — only logged-in admins, edit-mode sessions and preview tokens ever saw redirects (so WordPress migration 301s, manual rewrites andAuto: slug changerows did nothing for real traffic, andhits/_emdash_404_logstayed at zero). The middleware now falls back togetDb()(ALS-aware) whenlocals.emdash.dbis absent. Resolves #808. -
#874
d5f7c48Thanks @ask-bonk! - FixesEmDashRuntime.invalidateManifest()leaving the persisted manifest cache row stale on Cloudflare Workers. The D1 row delete was a fire-and-forget promise — on Workers, unawaited work is cancelled when the isolate is torn down post-response, sooptions.emdash:manifest_cachewas almost never actually wiped after a schema mutation. Cold-starting isolates downstream then adopted the pre-mutation snapshot and servedCollection '<slug>' not founduntil something else cleared the row. The delete now goes throughafter(), which hands it toctx.waitUntilunder workerd. (#873) -
#839
0d98c62Thanks @ascorbic! - Caches thesite:*settings prefix-scan across requests within a worker isolate. Site settings change rarely; reading them once per route was wasted work. Writes viasetSiteSettings()invalidate the cache so other isolates pick up changes within their lifetime. -
#840
64bf5b9Thanks @ascorbic! - Reduces duplicate queries on pages that render multiple taxonomy or "recent posts" widgets.getTaxonomyDef(name)now reuses the full taxonomy-defs list when it has already been loaded in the same request, andgetEmDashCollectionbuckets small limits so a post-detail page asking for 4 posts in the body and 5 in a sidebar widget shares one fetch instead of two. Cuts ~6 queries from the perf-fixture post-detail render. -
#803
0041d76Thanks @mvanhorn! - Fixes migrations 034 and 035 so they can safely re-run when a previous attempt left the schema partially applied without recording it in_emdash_migrations. Resolves the "index already exists" error reported on upgrade from 0.1.1 to 0.6.0+. -
#869
a8bac5dThanks @ask-bonk! - Fixes autosave validation errors on content seeded from the blog, portfolio, and starter templates (issue #867).Two related issues:
_keywas strictly required on Portable Text blocks by the generated Zod schema, but the rest of the block schema is.passthrough()and the editor regenerates_keyon every change, so requiring it on input rejected legitimate seed/import data without protecting any real invariant._keyis now optional in the validator.- The portfolio template shipped
featured_imageas bare URL strings.imagefields validate as{ id, ... }objects, so any user who edited a different field on a portfolio entry hitfeatured_image: expected object, received string. The portfolio seeds now use$mediareferences in the same shape as the blog template, and every shipped template seed has stable_keys on its Portable Text nodes.
A regression test runs every shipped template seed through the same validator the autosave endpoint uses, so future template changes that break this invariant fail before release.
-
#882
5b6f059Thanks @ascorbic! - Fixes the seed virtual module to also look at the conventionalseed/seed.jsonpath when no.emdash/seed.jsonorpackage.json#emdash.seedpointer is configured. Without this fallback, a site that only hadseed/seed.jsonwould silently fall through to the built-in default seed -- the setup wizard would not offer demo content, and the wrong schema would be applied. The loader now warns when it falls through to the default seed so misconfiguration is loud during dev. -
#855
a86ff80Thanks @ask-bonk! - Fixes Astro session lookups firing on every anonymous public SSR request (#733). The middleware now skipscontext.session.get("user")when noastro-sessioncookie is present, which on Cloudflare Workers (where the Astro session backend is KV) was turning normal anonymous traffic into a flood of KV read misses. Logged-in editors, admin routes, edit/preview flows, and any request that actually carries the session cookie continue to read the session as before. -
#853
eb6dbd0Thanks @drudge! - Fixes content saves on collections with boolean fields. Boolean fields map toINTEGERcolumns and the repository writes booleans as0/1, but never converts them back on read, so a GET → edit → POST round-trip surfaced numbers where the per-collection zod schema expected booleans, and every save was rejected. The boolean field schema now coerces the0/1shape to real booleans at the validation boundary; other numbers and strings still fail validation as before. -
Updated dependencies [
9dfc65c,d6754ae,0ee372a,ef3f076,8d0feb3,8354088,254a443,25128b2,e7df21f,ab45916,0913a39,e2d5d16,a838000,ddbf808,1c958fb,491aeec,d4be24f]:- @emdash-cms/admin@0.9.0
- @emdash-cms/auth@0.9.0
- @emdash-cms/auth-atproto@0.2.1
- @emdash-cms/gutenberg-to-portable-text@0.9.0
0.8.0
Minor Changes
-
#679
493e317Thanks @drudge! - Adds arepeaterBlock Kit element: array-of-objects with scalar sub-fields, drag-to-reorder, and collapsible item cards. Plugin block forms can now capture repeating data (FAQ rows, carousel slides, card grids) inline in the portable-text editor. -
#779
e402890Thanks @ascorbic! - Addssettings_getandsettings_updateMCP tools so agents can read and update site-wide settings (title, tagline, logo, favicon, URL, posts-per-page, date format, timezone, social, SEO).settings_getresolves media references (logo/favicon/seo.defaultOgImage) to URLs;settings_updateis a partial update that preserves omitted fields. Newsettings:read(EDITOR+) andsettings:manage(ADMIN) API token scopes back the tools, with matching options in the personal API token settings UI. -
#777
3eca9d5Thanks @ascorbic! - Behavior change — MCPtaxonomy_list_termsnow uses an opaque base64 keyset cursor over(label, id)instead of the previous raw term-id cursor. The new cursor is robust to concurrent term deletion: it encodes a position in sort space rather than a reference to a specific row. MCP clients that persisted page cursors across this upgrade should drop them and restart pagination — pre-upgrade cursors will returnINVALID_CURSOR.Adds parent-chain validation to
taxonomy_create_term(previously onlytaxonomy_update_termvalidated): rejects non-existent parents, cross-taxonomy parents, self-parent on update, cycles on update, and parent chains exceeding 100 ancestors. Existing taxonomies with chains over the depth limit continue to function but cannot accept new descendants until the chain is shortened. -
#675
b6cb2e6Thanks @eyupcanakman! - Renders local media through storagepublicUrlwhen configured.EmDashImageand the Portable Text image block now call a newlocals.emdash.getPublicMediaUrl()helper, so R2 and S3 deployments with a custom domain serve images from that domain.S3Storage.getPublicUrlnow returns the/_emdash/api/media/file/{key}path when nopublicUrlis set (previously{endpoint}/{bucket}/{key}). -
#398
31333dcThanks @simnaut! - Adds pluggable auth provider system with AT Protocol as the first plugin-based provider. Refactors GitHub and Google OAuth from hardcoded buttons into the sameAuthProviderDescriptorinterface. All auth methods (passkey, AT Protocol, GitHub, Google) are equal options on the login page and setup wizard.
Patch Changes
-
#777
3eca9d5Thanks @ascorbic! - Fixes MCP ownership checks failing with an internal error on content that has noauthorId(seed-imported rows). Admins and editors can now edit, publish, unpublish, schedule, and restore such items; users with only own-content permissions get a clean permission error. -
#777
3eca9d5Thanks @ascorbic! - Fixes content create / update silently accepting invalid data: required fields are now enforced, select / multiSelect values must match the configured options, and reference fields must resolve to a real, non-trashed target. Errors surface with a structuredVALIDATION_ERRORcode and a message naming every offending field. -
#670
37ada52Thanks @segmentationfaulter! - Change text direction of input fields and tiptap editor depending upon the language entered -
#688
0557b62Thanks @corwinperdomo! - Fixes the Settings > Email admin page so activeemail:beforeSend/email:afterSendmiddleware plugins are listed (previously always empty). AddsHookPipeline.getHookProviders()for enumerating non-exclusive hook providers. -
#673
5a581d9Thanks @mvanhorn! - Fixes WordPress media import to emit relative/_emdash/api/media/file/...URLs instead of absolute ones, matching every other media endpoint. Imported media is now recognized byINTERNAL_MEDIA_PREFIXfor enrichment, and no longer pins URLs to the origin that happened to serve the import request (breaking renders on a different port or behind a reverse proxy). -
#750
0ecd3b4Thanks @edrpls! - Make the admin collection list column headers sortable.Title,Status,Locale, andDateare now clickable buttons that toggle direction; the current sort state is exposed viaaria-sorton the<th>so screen readers announce it correctly.The server's
orderByfield whitelist now acceptsstatus,locale, andnamealongside the existing date fields — unchanged from a security standpoint, the repo still rejects unknown field names to prevent column enumeration.Callers of
<ContentList>that don't passonSortChangerender the previous static-label headers, so legacy integrations (e.g. the content picker) are unaffected. -
3138432Thanks @r2sake! - Fixes hydration of the inline PortableText editor on pnpm projects by aliasinguse-sync-external-store/shimto the mainuse-sync-external-storepackage. The shim is a CJS-only React<18 polyfill imported transitively by@tiptap/react; under pnpm's virtual store Vite cannot pre-bundle it, and the browser receives rawmodule.exportswhich fails to load as ESM (SyntaxError: ... does not provide an export named 'useSyncExternalStore'). The aliases redirect to React's built-inuseSyncExternalStore(peer-dep floor is React 18), so users no longer need to add the workaround themselves inastro.config.mjs. -
#755
70924cdThanks @mvanhorn! - Fixes the WordPress importer so collections created mid-import are visible to the subsequent execute phase.POST /_emdash/api/import/wordpress/preparenow callsemdash.invalidateManifest()when it creates new collections or fields. Without this, the DB-persisted manifest cache (emdash:manifest_cachein theoptionstable) stays stale and theexecuterequest reportsCollection "<slug>" does not existfor every item destined for a freshly created collection — a bug that survived dev-server restarts and required manually deleting the cache row. -
#757
1f0f6f2Thanks @ascorbic! - Removes two redundant in-scope database queries from the FTS verify-and-repair path. The inner block re-fetched searchable fields and search config that were already loaded in the outer scope of the same method. No behavior change. -
#777
3eca9d5Thanks @ascorbic! - Fixes paginated list endpoints silently returning the first page when given a malformed cursor. Bad cursors now produce a structuredINVALID_CURSORerror so client pagination bugs surface immediately.Note for plugin authors: the low-level
decodeCursorexport fromemdash/database/repositoriesnow throwsInvalidCursorErroron invalid input instead of returningnull. Direct callers (rare — most code usesfindMany-style helpers that handle this internally) should wrap the call intry/catchor migrate to the higher-level helpers. -
#777
3eca9d5Thanks @ascorbic! - Fixesschema_create_collectionMCP tool to apply its documented default of['drafts', 'revisions']forsupportswhen omitted. -
#189
f5658f0Thanks @Sayeem3051! - Add url and email plugin setting field types (Issue #175) -
#777
3eca9d5Thanks @ascorbic! - Preserves structured error codes through MCP tool responses. Errors returned by MCP tools now include a stable[CODE]prefix in the message text and a_meta.codefield on the response envelope, so MCP clients can distinguish failure modes (e.g. NOT_FOUND, CONFLICT, VALIDATION_ERROR) instead of seeing only a generic message. -
#777
3eca9d5Thanks @ascorbic! - Fixesrevision_restorefor collections that support revisions: restore now creates a new draft revision from the source revision's data and updatesdraft_revision_id, leaving the live columns untouched. Previously, restore overwrote the live row directly and left any pending draft unchanged, opposite to the documented contract ("Replaces the current draft..."). The response is also hydrated so the returneddatareflects the post-restore state.Behavior is unchanged for collections that do not support revisions.
-
#734
cf1edaeThanks @huckabarry! - Preserve clearer error logging and run sandboxedafter()content hook tasks in parallel when deferred plugin hooks execute after save and publish. -
#794
b352e88Thanks @ascorbic! - Sanitises thesnippetfield returned by thesearch()API so it is safe to render withset:html/innerHTML. Previously SQLite's FTS5snippet()function spliced literal<mark>tags around matched terms but left the surrounding text unescaped, meaning a post title likeHello <script>alert(1)</script>would render as live markup. Templates and components rendering snippets directly were exposed; the in-treeLiveSearchcomponent already worked around this client-side. Snippets now contain only HTML-escaped source text plus literal<mark>...</mark>highlight tags, matching the documented contract. -
#183
da3d065Thanks @masonjames! - Fixes Astro dev to use the built admin package for external app installs while keeping source aliasing for local monorepo development. -
#777
3eca9d5Thanks @ascorbic! - Tightens conflict-error matchers inhandleContentCreateandhandleContentUpdate. Both paths now match specifically on"unique constraint failed"or"duplicate key"(avoiding false positives where the word "unique" appears in unrelated error text), and produce sanitizedSLUG_CONFLICT/CONFLICTmessages so raw database error text — including Postgres-internal index names — no longer leaks to API consumers. Clients that pattern-match the previous unsanitized messages will see normalized text instead. -
#777
3eca9d5Thanks @ascorbic! - Fixestaxonomy_listexposing collection slugs for collections that no longer exist. Orphaned slugs are filtered out so the response stays consistent withschema_list_collections. -
#777
3eca9d5Thanks @ascorbic! - Fixescontent_unpublishso thatpublishedAtis cleared when an item is unpublished. -
#608
47978b5Thanks @drudge! - Fixes/_emdash/api/widget-areas/*endpoints returning raw DB rows (snake_case fields,contentas a JSON string) instead of the transformedWidgetshape. Admin UI expectscontentto already be a parsed PortableText array andcomponentId/componentProps/menuNamein camelCase, so expanding a content widget in/_emdash/admin/widgetsproduced an empty editor. All four route handlers (GET /widget-areas,GET /widget-areas/:name,POST /widget-areas/:name/widgets,PUT /widget-areas/:name/widgets/:id) now run their results throughrowToWidget, which was made module-exported. -
#777
3eca9d5Thanks @ascorbic! - Addstaxonomies:manageandmenus:manageAPI token scopes for fine-grained control over taxonomy and menu mutations via MCP and REST. Existing tokens withcontent:writecontinue to work for those operations:content:writenow implicitly grantsmenus:manageandtaxonomies:manageso PATs issued before the split keep their effective permissions. The reverse implication does not hold — a token with onlymenus:managecannot create or edit content. -
Updated dependencies [
86b26f6,493e317,e998083,37ada52,acab807,0ecd3b4,4c9f04d,e402890,ed4d880,31333dc,3eca9d5]:- @emdash-cms/admin@1.0.0
- @emdash-cms/auth@1.0.0
- @emdash-cms/auth-atproto@1.0.0
- @emdash-cms/gutenberg-to-portable-text@1.0.0
0.7.0
Minor Changes
-
#705
8ebdf1aThanks @eba8! - Adds admin white-labeling support viaadminconfig inastro.config.mjs. Agencies can set a custom logo, site name, and favicon for the admin panel, separate from public site settings. -
#742
c26442bThanks @ascorbic! - AddstrustedProxyHeadersconfig option so self-hosted deployments behind a reverse proxy can declare which client-IP headers to trust. Used by auth rate limits (magic-link, signup, passkey, OAuth device flow) and the public comment endpoint — without it, every request on a non-Cloudflare deployment was treated as "unknown" and rate limits were effectively disabled.Set the option in
astro.config.mjs:emdash({ trustedProxyHeaders: ["x-real-ip"], // nginx, Caddy, Traefik });or via the
EMDASH_TRUSTED_PROXY_HEADERSenv var (comma-separated). Headers are tried in order; values ending inforwarded-forare parsed as comma-separated lists.Also removes the user-agent-hash fallback on the comment endpoint. The fallback was meant to give anonymous commenters on non-Cloudflare deployments something approximating per-user rate limiting, but the UA is trivially rotatable; requests with no trusted IP now share a stricter "unknown" bucket. Operators behind a reverse proxy should set
trustedProxyHeadersto restore per-IP bucketing.Only set
trustedProxyHeaderswhen you control the reverse proxy. Trusting a forwarded-IP header from the open internet lets any client spoof their IP and defeats rate limiting.
Patch Changes
-
#745
7186961Thanks @ascorbic! - Fixes an unauthenticated denial-of-service via the 404 log. Every 404 response previously inserted a new row into_emdash_404_log, so an attacker could grow the database without bound by requesting unique nonexistent URLs. Repeat hits to the same path now dedup into a single row with ahitscounter andlast_seen_attimestamp, referrer and user-agent headers are truncated to bounded lengths, and the log is capped at 10,000 rows with oldest-first eviction. -
#739
e9ecec2Thanks @MohamedH1998! - Fixes the REST content API silently strippingpublishedAton create/update andcreatedAton create. Importers can now preserve original publish and creation dates on migrated content. Gated behindcontent:publish_any(EDITOR+) so regular contributors cannot backdate posts.createdAtis intentionally not accepted on update —created_atis treated as immutable. -
#732
e3e18aaThanks @jcheese1! - Fixes select dropdown appearing behind dialog by removing explicit z-index values and addingisolateto the admin body for proper stacking context. -
#695
fae63bdThanks @ascorbic! - Fixesemdash seedso entries declared with"status": "published"are actually published. Previously the seed wrote the content row withstatus: "published"and apublished_attimestamp but never created a live revision, so the admin UI showed "Save & Publish" instead of "Unpublish" andlive_revision_idstayed null. The seed now promotes published entries to a live revision on both create and update paths. -
#744
30d8fe0Thanks @ascorbic! - Fixes a setup-window admin hijack by binding/setup/adminand/setup/admin/verifyto a per-session nonce cookie. Previously an unauthenticated attacker who could reach a site during first-time setup could POST to/setup/adminbetween the legitimate admin's email submission and passkey verification, overwriting the stored email — the admin account would then be created with the attacker's address. The admin route now mints a cryptographically random nonce, stores it in setup state, and sets it as an HttpOnly, SameSite=Strict,/_emdash/-scoped cookie; the verify route rejects any request whose cookie does not match in constant time. -
#685
d4a95bfThanks @ascorbic! - Fixes visual editing: clicking an editable field now opens the inline editor instead of always opening the admin in a new tab. The toolbar's manifest fetch was readingmanifest.collectionsdirectly but the/_emdash/api/manifestendpoint wraps its payload in{ data: … }, so every field-kind lookup returnednulland every click fell through to the admin-new-tab fallback. -
#743
a31db7dThanks @ascorbic! - Locksemdash:site_urlafter the first setup call so a spoofed Host header on a later step of the wizard can't overwrite it. Config (siteUrl) and env (EMDASH_SITE_URL) paths already took precedence; this is a defence-in-depth guard for deployments that rely on the request-origin fallback. -
#737
adb118cThanks @ascorbic! - Rate-limits the self-signup request endpoint to prevent abuse.POST /_emdash/api/auth/signup/requestnow allows 3 requests per 5 minutes per IP, matching the existing limit on magic-link/send. Over-limit requests return the same generic success response as allowed-but-ignored requests, so the limit isn't observable to callers. -
#738
080a4f1Thanks @ascorbic! - Strengthens SSRF protection on the import pipeline against DNS-rebinding. ThevalidateExternalUrlhelper now also blocks known wildcard DNS services (nip.io,sslip.io,xip.io,traefik.me,lvh.me,localtest.me) and trailing-dot FQDN forms of blocked hostnames. A newresolveAndValidateExternalUrlresolves the target hostname via DNS-over-HTTPS (Cloudflare) and rejects if any returned IP is in a private range.ssrfSafeFetchand the plugin unrestricted-fetch path now use the DNS-aware validator on every hop. This adds two DoH round-trips per outbound request; self-hosted admins whose egress blockscloudflare-dns.comcan inject a custom resolver viasetDefaultDnsResolver. -
#736
81fe93bThanks @ascorbic! - Restricts Subscriber-role access to draft, scheduled, and trashed content. Subscribers retaincontent:readfor member-only published content but no longer see non-published items via the REST API or MCP server. Adds a newcontent:read_draftspermission (Contributor and above) that gates/compare,/revisions,/trash,/preview-url, and the corresponding MCP tools. -
Updated dependencies [
8ebdf1a,2e4b205,e3e18aa,743b080,fa8d753,81fe93b]:- @emdash-cms/admin@0.7.0
- @emdash-cms/auth@0.7.0
- @emdash-cms/gutenberg-to-portable-text@0.7.0
0.6.0
Minor Changes
-
#626
1859347Thanks @ascorbic! - Adds eager hydration of taxonomy terms ongetEmDashCollectionandgetEmDashEntryresults. Each entry now exposes adata.termsfield keyed by taxonomy name (e.g.post.data.terms.tag,post.data.terms.category), populated via a single batched JOIN query alongside byline hydration. Templates that previously looped and calledgetEntryTerms(collection, id, taxonomy)per entry can readentry.data.termsdirectly and skip the N+1 round-trip.New exports:
getAllTermsForEntries,invalidateTermCache.Reserved field slugs now also block
terms,bylines, andbylineat schema-creation time to prevent new fields shadowing the hydrated values. Existing installs that already have a user-defined field with any of those slugs will see the hydrated value overwrite the stored value on read (consistent with the pre-existing behavior ofbylines/bylinehydration); rename the field to keep its data accessible. -
#600
9295cc1Thanks @ascorbic! - Adds Noto Sans as the default admin UI font via the Astro Font API. Fonts are downloaded from Google at build time and self-hosted. The base font covers Latin, Cyrillic, Greek, Devanagari, and Vietnamese. Additional scripts (Arabic, CJK, Hebrew, Thai, etc.) can be added via the newfonts.scriptsconfig option. Setfonts: falseto disable and use system fonts.
Patch Changes
-
#648
ada4ac7Thanks @CacheMeOwside! - Adds the missingurlfield type for seed files, content type builder, and content editor with client-side URL validation. -
#658
f279320Thanks @ascorbic! - Addsafter(fn)— a helper for deferring bookkeeping work past the HTTP response. On Cloudflare it hands off towaitUntil(extending the worker's lifetime); on Node it fire-and-forgets (the event loop keeps the process alive for the next request anyway). Host binding is plumbed through a newvirtual:emdash/wait-untilvirtual module so core stays runtime-neutral — Cloudflare-specific imports live in the integration layer, not in request-handling code.First use: cron stale-lock recovery (
_emdash_cron_tasksUPDATE) now runs after the response ships instead of blocking it. On D1 this shaves a primary-routed write off the cold-start critical path.Usage:
import { after } from "emdash"; // Fire-and-forget; errors are caught and logged so a deferred task // never surfaces as an unhandled rejection. after(async () => { await recordAuditEntry(); }); -
#642
7f75193Thanks @Pouf5! - AddsmaxUploadSizeconfig option to set the maximum media file upload size in bytes. Defaults to 52_428_800 (50 MB) — existing behaviour is unchanged. -
#595
cfd01f3Thanks @ascorbic! - Fixes playground initialization crash caused by syncSearchState attempting first-time FTS enablement during field creation. -
#663
38d637bThanks @ascorbic! - CachegetSiteSetting(key)per-request. It was firing an uncachedoptionstable read on every call, so templates that pull several settings (orEmDashHeadreadingseoon every page render) paid N round-trips to the D1 primary instead of sharing one. Noticeable on colos far from the primary — APS/APE were seeing ~30–100 ms of avoidable warm-render latency per page.Wraps each key in
requestCached("siteSetting:${key}", ...)so concurrent callers in a single render share the in-flight query. -
#631
31d2f4eThanks @ascorbic! - Improves cold-start performance for anonymous page requests. Sites with D1 replicas far from the worker colo should see the biggest improvement; on the blog-demo the homepage cold request on Asia colos dropped from several seconds to under a second.Three underlying changes:
- Search index health checks run on demand (on the first search request) rather than at worker boot, reclaiming the time a boot-time scan spent walking every searchable collection.
- Module-scoped caches (manifest, taxonomy names, byline existence, taxonomy-assignment existence) are now reused across anonymous requests that route through D1 read replicas. They previously rebuilt on every request.
- Cold-start Server-Timing headers break runtime init into sub-phases (
rt.db,rt.plugins, etc.) so further regressions are easier to diagnose.
-
#605
445b3bfThanks @ascorbic! - Fixes D1 read replicas being bypassed for anonymous public page traffic. The middleware fast path now asks the database adapter for a per-request scoped Kysely, so anonymous reads land on the nearest replica instead of the primary-pinned singleton binding.All D1-specific semantics (Sessions API, constraint selection, bookmark cookie) live in
@emdash-cms/cloudflare/db/d1behind a singlecreateRequestScopedDb(opts)function. Core middleware has no D1-specific logic. Adapters opt in via a newsupportsRequestScope: booleanflag onDatabaseDescriptor;d1()sets it to true.Other fixes in the same change:
- Nested
runWithContextcalls in the request-context middleware now merge the parent context instead of replacing it, so an outer per-request db override is preserved through edit/preview flows. - Baseline security headers now forward Astro's cookie symbol across the response clone so
cookies.set()calls in middleware survive. - Any write (authenticated or anonymous) now forces
first-primary, so an anonymous form/comment POST isn't racing across replicas. - The session user is read once per request and reused in both the fast path and the full runtime init (previously read twice on authenticated public-page traffic).
- Bookmark cookies are validated only for length (≤1024) and absence of control characters — no stricter shape check, so a future D1 bookmark format change won't silently degrade consistency.
- The
!configbail-out now still applies baseline security headers. __ec_d1_bookmarkreferences aligned to__em_d1_bookmarkacross runtime, docs, and JSDoc.
- Nested
-
#654
943d540Thanks @ascorbic! - Dedups repeat DB queries within a single page render. Measured against the query-count fixture:- The "has any bylines / has any taxonomy terms" probes were module-scoped singletons, but the bundler duplicates those modules across chunks — each chunk ended up with its own copy of the singleton, so the probe re-ran whenever a different chunk called the helper. Stored on
globalThiswith a Symbol key (same pattern asrequest-context.ts), so a single value is shared across all chunks now. - Wraps
getCollectionInfo,getTaxonomyDef,getTaxonomyTerms, andgetEmDashCollectionin the request-scoped cache so two callers with the same arguments in the same render share a single query.
Biggest wins land on pages that render multiple content-heavy components (a post detail page with comments, byline credits, and sidebar widgets). On the fixture post page: -3 queries cold / -1 warm under SQLite, -2 queries cold under D1.
- The "has any bylines / has any taxonomy terms" probes were module-scoped singletons, but the bundler duplicates those modules across chunks — each chunk ended up with its own copy of the singleton, so the probe re-ran whenever a different chunk called the helper. Stored on
-
#668
2cb3165Thanks @CacheMeOwside! - Fixes boolean field checkbox displaying as unchecked after publish in the admin UI. -
#500
14c923bThanks @all3f0r1! - Adds inline term creation in the post editor taxonomy sidebar. Tags show a "Create" option when no match exists; categories get an "Add new" button below the list. -
#606
c5ef0f5Thanks @ascorbic! - Caches the manifest in memory and in the database to eliminate N+1 schema queries per request. Batches site info queries during initialization. Cold starts read 1 cached row instead of rebuilding from scratch. -
#671
f839381Thanks @jcheese1! - Fixes MCP OAuth discovery and dynamic client registration so EmDash only advertises supported client registration mechanisms and rejects unsupported redirect URIs or token endpoint auth methods during client registration. Also exempts OAuth protocol endpoints (token, register, device code, device token) from the Origin-based CSRF check, since these endpoints are called cross-origin by design (MCP clients, CLIs, native apps) and carry no ambient credentials, and sends the required CORS headers so browser-based MCP clients can reach them. -
#664
002d0acThanks @ascorbic! -getSiteSetting(key)now transparently piggybacks ongetSiteSettings()when the batch has already been loaded in the current request. If a parent template has calledgetSiteSettings()(which is request-cached), a latergetSiteSetting("seo")— fromEmDashHead, a plugin, or user code — reads the key from that cached result instead of firing its own round-trip. Falls back to a per-key cached query when nothing has been primed.Exposes
peekRequestCache(key)for internal use by other helpers that want the same "read from a broader cached query if available" pattern.On the blog-demo fixture: the SEO call added in PR #613 now costs zero extra queries per page (it reads from the Base layout's existing
getSiteSettings()result). -
#465
0a61ef4Thanks @Pouf5! - Fixes FTS5 tables not being created when a searchable collection is created or updated via the Admin UI. -
#636
6d41fe1Thanks @ascorbic! - Fixes two correctness issues from the #631 cold-start work:ensureSearchHealthy()now runs against the runtime's singleton database instead of the per-request session-bound one. The verify step reads, but a corrupted index triggers a rebuild write, and D1 Sessions on a GET request usesfirst-unconstrainedrouting that's free to land on a replica. The singleton goes through the default binding, which the adapter correctly promotes tofirst-primaryfor writes.- The playground request-context middleware now sets
dbIsIsolated: true. Without it, schema-derived caches (manifest, taxonomy defs, byline/term existence probes) could carry values across playground sessions that have independent schemas.
-
#627
b158e40Thanks @ascorbic! - Prime the request-scoped cache forgetEntryTermsduring collection and entry hydration.getEmDashCollectionandgetEmDashEntryalready fetch taxonomy terms for their results via a single batched JOIN; now the same data is seeded into the per-request cache under the same keysgetEntryTermsuses, so existing templates that still callgetEntryTerms(collection, id, taxonomy)in a loop get cache hits instead of a serial DB round-trip per iteration.Empty-result entries are seeded with
[]for every taxonomy that applies to the collection so "this post has no tags" also short-circuits without a query. Cache entries are scoped to the request context via ALS and GC'd with it. -
#653
f97d6abThanks @ascorbic! - Adds opt-in query instrumentation for performance regression testing. SettingEMDASH_QUERY_LOG=1causes the Kysely log hook to emit[emdash-query-log]-prefixed NDJSON on stdout for every DB query executed inside a request, tagged with the route, method, and anX-Perf-Phaseheader value. Zero runtime overhead when the flag is unset — the log option is only attached to Kysely when enabled.Also exposes the helpers at
emdash/database/instrumentationso first-party adapters (e.g.@emdash-cms/cloudflare) can wire the same hook into their per-request Kysely instances. -
#613
e67b940Thanks @nickgraynews! - Fixes site SEO settingsgoogleVerificationandbingVerificationnot being emitted into<head>. The fields were stored in the database and editable in the admin UI but were never rendered as<meta name="google-site-verification">or<meta name="msvalidate.01">tags, making meta-tag verification with Google Search Console and Bing Webmaster Tools impossible. EmDashHead now loads site SEO settings and renders these tags on every page. -
#659
0896ec8Thanks @ascorbic! - Two query-count reductions on the request hot path:- Widget areas now fetch in a single query.
getWidgetArea(name)used to do two round-trips — one for the area, one for its widgets. Single left-join now. Saves one query per<WidgetArea>rendered on a page. - Dropped the "has any bylines / has any term assignments" probes. Those fired on every hydration call to save a single query on sites with zero bylines/terms — exactly the wrong tradeoff. The batch hydration queries already handle empty sites at the same cost, so the probes are removed. Pre-migration databases (tables not created yet) are still handled via an
isMissingTableErrorcatch. Saves two queries per render on pages that hydrate bylines and taxonomy terms.
On the fixture post-detail page: SQLite
/posts/[slug]drops from 34 → 32, D1 from 43 → 39. The widget-area JOIN shaves one off every page that renders a widget area.invalidateBylineCache()andinvalidateTermCache()are preserved as no-op exports so callers don't break. - Widget areas now fetch in a single query.
-
#558
629fe1dThanks @csfalcao! - Fixes/_emdash/api/search/suggest500 error.getSuggestionsno longer double-appends the FTS5 prefix operator*on top of the oneescapeQueryalready adds, so autocomplete queries like?q=desnow return results instead of raisingSqliteError: fts5: syntax error near "*". -
#552
f52154dThanks @masonjames! - Fixes passkey login failures so unregistered or invalid credentials return an authentication failure instead of an internal server error. -
#601
8221c2aThanks @CacheMeOwside! - Fixes the Save Changes button on the Content Type editor failing silently with a 400 error -
#598
8fb93ebThanks @maikunari! - Fixes WordPress import error reporting to surface the real exception message instead of a generic "Failed to import item" string, making import failures diagnosable. -
#629
6d7f288Thanks @CacheMeOwside! - Adds toast feedback when taxonomy assignments are saved or fail on content items. -
#638
4ffa141Thanks @auggernaut! - Fixes repeated FTS startup rebuilds on SQLite by verifying indexed row counts against the FTS shadow table. -
#582
04e6ccaThanks @all3f0r1! - Improves the "Failed to create database" error to detect NODE_MODULE_VERSION mismatches from better-sqlite3 and surface an actionable message telling the user to rebuild the native module. -
Updated dependencies [
dfcb0cd,cf63b02,0b32b2f,913cb62,6c92d58,a2d5afb,39d285e,f52154d]:- @emdash-cms/admin@0.6.0
- @emdash-cms/auth@0.6.0
- @emdash-cms/gutenberg-to-portable-text@0.6.0
0.5.0
Minor Changes
-
#540
82c6345Thanks @jdevalk! - Addswhere: { status?, locale? }toContentListOptions, letting plugins narrowContentAccess.list()results at the database layer instead of filtering the returned array. The underlying repository already supports these filters — this PR only exposes them through the plugin-facing type. -
#551
598026cThanks @ophirbucai! - Adds RTL (right-to-left) language support infrastructure. Enables proper text direction for RTL languages like Arabic, Hebrew, Farsi, and Urdu. Includes LocaleDirectionProvider component that syncs HTML dir/lang attributes with Kumo's DirectionProvider for automatic layout mirroring when locale changes.
Patch Changes
-
#542
64f90d1Thanks @mohamedmostafa58! - Fixes invite flow: corrects invite URL to point to admin UI page, adds InviteAcceptPage for passkey registration. -
#555
197bc1bThanks @ascorbic! - Fixes OAuth authorization server metadata discovery for MCP clients by serving it at the RFC 8414-compliant path. -
#534
ce873f8Thanks @ttmx! - Fixes Table block to render inline marks (bold, italic, code, links, etc.) through the Portable Text pipeline instead of stripping them to plain text. Links are sanitized viasanitizeHref(). Table styles now use CSS custom properties with fallbacks. -
Updated dependencies [
9ea4cf7,64f90d1,598026c]:- @emdash-cms/admin@0.5.0
- @emdash-cms/auth@0.5.0
- @emdash-cms/gutenberg-to-portable-text@0.5.0
0.4.0
Minor Changes
-
#539
8ed7969Thanks @jdevalk! - Addslocaleto theContentItemtype returned by the plugin content access API. Follow-up to #536 — plugins that build i18n URLs from content records need the locale to pick the right URL prefix, otherwise multilingual content is emitted at default-locale URLs. -
#523
5d9120eThanks @jdevalk! - Addnlwebto the allowedrelvalues forpage:metadatalink contributions, letting plugins inject<link rel="nlweb" href="...">tags for agent/conversational endpoint discovery. -
#536
9318c56Thanks @ttmx! - Addsslug,status, andpublishedAtto theContentItemtype returned by the plugin content access API. ExportsContentPublishStateChangeEventtype. FiresafterDeletehooks on permanent content deletion. -
#519
5c0776dThanks @ascorbic! - Enables the MCP server endpoint by default. The endpoint at/_emdash/api/mcprequires bearer token auth, so it has no effect unless a client is configured. Setmcp: falseto disable.Fixes MCP server crash ("exports is not defined") on Cloudflare in dev mode by pre-bundling the MCP SDK's CJS dependencies for workerd.
Patch Changes
-
#515
5beddc3Thanks @ascorbic! - Reduces logged-out page load queries by caching byline existence, URL patterns, and redirect rules at worker level with proper invalidation. -
#512
f866c9cThanks @mahesh-projects! - Fixes save/publish race condition in visual editor toolbar. When a user blurred a field and immediately clicked Publish, the in-flight save PUT could arrive at the server after the publish POST, causing the stale revision to be promoted silently. IntroducespendingSavePromisesopublish()chains onto the pending save rather than firing immediately. -
#537
1acf174Thanks @Glacier-Luo! - Fixes plugin bundle resolving dist path before source, which caused build failures and potential workspace-wide source file destruction. -
#538
678cc8cThanks @Glacier-Luo! - Fixes revision pruning crash on PostgreSQL by replacing column alias in HAVING clause with the aggregate expression. -
#509
d56f6c1Thanks @mvanhorn! - Fixes TypeError when setting baseline security headers on Cloudflare responses with immutable headers. -
#495
2a7c68aThanks @ascorbic! - Fixes atomicity gaps: content update _rev check, menu reorder, byline delete, and seed content creation now run inside transactions. -
#497
6492ea2Thanks @ascorbic! - Fixes migration 011 rollback, plugin media upload returning wrong ID, MCP taxonomy tools bypassing validation, and FTS query escaping logic. -
#517
b382357Thanks @ascorbic! - Improves plugin safety: hooks log dependency cycles, timeouts clear timers, routes don't leak error internals, one-shot cron tasks retry with exponential backoff (max 5), marketplace downloads validate redirect targets. -
#532
1b743acThanks @ascorbic! - Fixes cold-start query explosion (159 -> ~25 queries) by short-circuiting migrations when all are applied, fixing FTS triggers to exclude soft-deleted content, and preventing false-positive FTS index rebuilds on every startup. -
Updated dependencies [
3a96aa7,c869df2,10ebfe1,275a21c,af0647c,b89e7f3,20b03b4,ba0a5af,e2f96aa,4645103]:- @emdash-cms/admin@0.4.0
- @emdash-cms/auth@0.4.0
- @emdash-cms/gutenberg-to-portable-text@0.4.0
0.3.0
Minor Changes
-
#457
f2b3973Thanks @UpperM! - Adds runtime resolution of S3 storage config fromS3_*environment variables (S3_ENDPOINT,S3_BUCKET,S3_ACCESS_KEY_ID,S3_SECRET_ACCESS_KEY,S3_REGION,S3_PUBLIC_URL). Any field omitted froms3({...})is read from the matching env var on Node at runtime, so container images can be built once and receive credentials at boot without a rebuild. Explicit values ins3({...})still take precedence.s3()with no arguments is now valid for fully env-driven deployments.accessKeyIdandsecretAccessKeyare now optional inS3StorageConfig(both or neither). Workers users should continue passing explicit values tos3({...}).
Patch Changes
-
#492
13f5ff5Thanks @UpperM! - Fixes manifest version being hardcoded to "0.1.0". The version and git commit SHA are now injected at build time via tsdown/Vitedefine, reading from package.json andgit rev-parse. -
#494
a283954Thanks @ascorbic! - Adds defensive identifier validation to all SQL interpolation points to prevent injection via dynamic identifiers. -
#351
c70f66fThanks @CacheMeOwside! - Fixes redirect loops causing the ERR_TOO_MANY_REDIRECTS error, by detecting circular chains when creating or editing redirects on the admin Redirects page. -
#499
0b4e61bThanks @ascorbic! - Fixes admin failing to load when installed from npm due to broken locale catalog resolution. -
Updated dependencies [
c70f66f,0b4e61b]:- @emdash-cms/admin@0.3.0
- @emdash-cms/auth@0.3.0
- @emdash-cms/gutenberg-to-portable-text@0.3.0
0.2.0
Minor Changes
-
#367
8f44ec2Thanks @ttmx! - Addscontent:afterPublishandcontent:afterUnpublishplugin hooks, fired after content is published or unpublished. Both are fire-and-forget notifications requiringread:contentcapability, supporting trusted and sandboxed plugins. -
#431
7ee7d95Thanks @jdevalk! - Per-collection sitemaps with sitemap index and lastmod/sitemap.xmlnow serves a<sitemapindex>with one child sitemap per SEO-enabled collection. Each collection's sitemap is at/sitemap-{collection}.xmlwith<lastmod>on both index entries and individual URLs. Uses the collection'surl_patternfor correct URL building. -
#414
4d4ac53Thanks @jdevalk! - Addsbreadcrumbs?: BreadcrumbItem[]toPublicPageContextso themes can publish a breadcrumb trail as part of the page context, and SEO plugins (or any otherpage:metadataconsumer) can read it without having to invent their own per-theme override mechanism.BreadcrumbItemis also exported from theemdashpackage root. The field is optional and non-breaking — existing themes and plugins work unchanged, and consumers can adopt it incrementally. Empty array (breadcrumbs: []) is an explicit opt-out signal (e.g. for homepages);undefinedmeans "no opinion, fall back to consumer's own derivation". -
#111
87b0439Thanks @mvanhorn! - Adds repeater field type for structured repeating data -
#382
befaeecThanks @UpperM! - AddssiteUrlconfig option to fix reverse-proxy origin mismatch. ReplacespasskeyPublicOriginwith a single setting that covers all origin-dependent features: passkeys, CSRF, OAuth, auth redirects, MCP discovery, snapshots, sitemap, robots.txt, and JSON-LD.Supports
EMDASH_SITE_URL/SITE_URLenvironment variables for container deployments where the domain is only known at runtime.Disables Astro's
security.checkOrigin(EmDash's own CSRF layer handles origin validation with dual-origin support and runtime siteUrl resolution). WhensiteUrlis set in config, also setssecurity.allowedDomainssoAstro.urlreflects the public origin in templates.Breaking:
passkeyPublicOriginis removed. Rename tositeUrlin yourastro.config.mjs.
Patch Changes
-
#182
156ba73Thanks @masonjames! - Fixes media routes so storage keys with slashes resolve correctly. -
#422
80a895bThanks @baezor! - Fixes SEO hydration exceeding D1 SQL variable limit on large collections by chunking thecontent_id IN (...)clause inSeoRepository.getMany. -
#94
da957ceThanks @eyupcanakman! - Reject dangerous URL schemes in menu custom links -
#223
fcd8b7bThanks @baezor! - Fixes byline hydration exceeding D1 SQL variable limit on large collections by chunking IN clauses. -
#479
8ac15a4Thanks @ascorbic! - Enforces permission checks on content status transitions, media provider endpoints, and translation group creation. -
#250
ba2b020Thanks @JULJERYT! - Optimize dashboard stats (3x fewer db queries) -
#340
0b108cfThanks @mvanhorn! - Passes emailPipeline to plugin route handler context so plugins with email:send capability can send email from route handlers. -
#148
1989e8bThanks @masonjames! - Adds public plugin settings helpers. -
#352
e190324Thanks @barckcode! - Allows external HTTPS images in the admin UI by addinghttps:to theimg-srcCSP directive. Fixes external content images (e.g. from migration or external hosting) being blocked in the content editor. -
#72
724191cThanks @travisbreaks! - Fix CLI login against remote Cloudflare-deployed instances by unwrapping API response envelope and adding admin scope -
#480
ed28089Thanks @ascorbic! - Fixes admin demotion guard, OAuth consent flow, device flow token exchange, preview token scoping, and revision cleanup on permanent delete. -
#247
a293708Thanks @NaeemHaque! - Fixes email settings page showing empty by registering the missing API route. Adds error state to the admin UI so fetch failures are visible instead of silently swallowed. -
#324
c75cc5bThanks @barckcode! - Fixes admin editor crash when image blocks lack theassetwrapper. Image blocks withurlat the top level (e.g. from CMS migrations) now render correctly instead of throwingTypeError: Cannot read properties of undefined (reading 'url'). -
#353
6ebb797Thanks @ilicfilip! - fix(core): pass field.options through to admin manifest for plugin field widgets -
#209
d421ee2Thanks @JonahFoster! - Fixes base OG, Twitter, and article JSON-LD titles so they can use a page-specific title without including the site name suffix from the document title. -
#394
391caf4Thanks @datienzalopez! - Fixesplugin:activateandplugin:deactivatehooks not being called when enabling or disabling a plugin via the admin UI orsetPluginStatus. Previously,setPluginStatusrebuilt the hook pipeline but never invoked the lifecycle hooks. Nowplugin:activatefires after the pipeline is rebuilt with the plugin included, andplugin:deactivatefires on the current pipeline before the plugin is removed. -
#357
6474daeThanks @Vallhalen! - Fix: default adminPages and dashboardWidgets to empty arrays in manifest to prevent admin UI crash when plugins omit these properties. -
#453
30c9a96Thanks @all3f0r1! - Fixesctx.content.create()andctx.content.update()so plugins can write to the core SEO panel. When the inputdatacontains a reservedseokey, it is now extracted and routed to_emdash_seovia the SEO repository, matching the REST API shape.ctx.content.get()andctx.content.list()also hydrate theseofield on returned items for SEO-enabled collections. -
#326
122c236Thanks @barckcode! - Fixes WXR import not preserving original post dates or publish status. Useswp:post_date_gmt(UTC) with fallback chain topubDate(RFC 2822) thenwp:post_date(site-local). Handles the WordPress0000-00-00 00:00:00sentinel for unpublished drafts. Setspublished_atfor published posts. Applies to both WXR file upload and plugin-based import paths. -
#371
5320321Thanks @pejmanjohn! - Fix MCP OAuth discovery for unauthenticated POST requests. -
#338
b712ae3Thanks @mvanhorn! - Fixes standalone wildcard "" in plugin allowedHosts so plugins declaring allowedHosts: [""] can make outbound HTTP requests to any host. -
#434
9cb5a28Thanks @hayatosc! - Avoid accessing sessions on prerendered public routes. -
#119
e1014efThanks @blmyr! - Fix pluginpage:metadataandpage:fragmentshooks not firing for anonymous public page visitors. The middleware's early-return fast-path for unauthenticated requests now initializes the runtime (skipping only the manifest query), so plugin contributions render via<EmDashHead>,<EmDashBodyStart>, and<EmDashBodyEnd>for all visitors. Also addscollectPageMetadataandcollectPageFragmentsto theEmDashHandlersinterface. -
#424
476cb3aThanks @csfalcao! - Fixes public access to the search API (#104). The auth middleware blocked/_emdash/api/searchbefore the handler ran, so #107's handler-level change never took effect for anonymous callers. Adds the endpoint toPUBLIC_API_EXACTso the shippedLiveSearchcomponent works on public sites without credentials. Admin endpoints (/search/enable,/search/rebuild,/search/stats,/search/suggest) remain authenticated. -
#333
dd708b1Thanks @mvanhorn! - Adds composite index on (deleted_at, published_at DESC, id DESC) to eliminate full table scans for frontend listing queries that order by published_at. -
#448
c92e7e6Thanks @grexe! - fixes logo and favicon site settings not being applied to templates -
#319
2ba1f1fThanks @ideepakchauhan7! - Fixes i18n config returning null in Vite dev SSR by reading from virtual module instead of dynamic import. -
#251
a13c4ecThanks @yohaann196! - fix: expose client_id in device flow discovery response -
#93
a5e0603Thanks @eyupcanakman! - Fix taxonomy links missing from admin sidebar -
Updated dependencies [
0966223,53dec88,3b6b75b,a293708,1a93d51,c9bf640,87b0439,5eeab91,e3f7db8,a5e0603]:- @emdash-cms/admin@0.2.0
- @emdash-cms/auth@0.2.0
- @emdash-cms/gutenberg-to-portable-text@0.2.0
0.1.1
Patch Changes
-
#200
422018aThanks @ascorbic! - Replace placeholder text branding with proper EmDash logo SVGs across admin UI, playground loading page, and preview interstitial -
#206
4221ba4Thanks @tsikatawill! - Fixes multiSelect custom fields rendering as plain text inputs instead of a checkbox group. -
#133
9269759Thanks @kyjus25! - Fix auth links and OAuth callbacks to use/_emdash/api/auth/...so emailed sign-in, signup, and invite URLs resolve correctly in EmDash. -
#365
d6cfc43Thanks @ascorbic! - Fixes migration 033 failing with "index already exists" on databases where the schema registry had already created composite indexes on content tables. -
#313
1bcfc50Thanks @mvanhorn! - Remove FTS5 integrity-check from startup verification to prevent D1 shadow table corruption -
#262
8c693b5Thanks @BenjaminPrice! - Fix media upload OOM on Cloudflare Workers for large images by generating blurhash from client-provided thumbnails instead of decoding full-resolution images server-side -
#330
5b3e33cThanks @MattieTK! - Fixes migration 033 (optimize content indexes) not being registered in the static migration runner, so the composite and partial indexes it defines are now actually applied on startup. -
#181
9d10d27Thanks @ilicfilip! - fix(admin): use collection urlPattern for preview button fallback URL -
#363
91e31fbThanks @ascorbic! - Fixes sandboxed plugin entries failing when package exports point to unbuilt TypeScript source. Adds build-time and bundle-time validation to catch misconfigured plugin exports early. -
#298
f112ac4Thanks @BenjaminPrice! - Fixes install telemetry using an unstable hash that inflated install counts. Uses the site's request origin as a stable hash seed for accurate per-site deduplication. Denormalizes install_count on the marketplace plugins table for query performance. -
#214
e9a6f7aThanks @SARAMALI15792! - Optimizes D1 database indexes to eliminate full table scans in admin panel. Adds composite indexes on ec_* content tables for common query patterns (deleted_at + updated_at/created_at + id) and rewrites comment counting to use partial indexes. Reduces D1 row reads by 90%+ for dashboard operations. -
#107
b297fddThanks @mvanhorn! - Allows public access to search API for frontend LiveSearch -
#225
d211452Thanks @seslly! - AddspasskeyPublicOriginonemdash()so WebAuthnoriginandrpIdmatch the browser when dev sits behind a TLS-terminating reverse proxy. Validates the value at integration load time and threads it through all passkey-related API routes.Updates the admin passkey setup and login flows to detect non-secure origins and explain that passkeys need HTTPS or
http://localhostrather than implying the browser lacks WebAuthn support. -
#105
8e28cfcThanks @ascorbic! - Fix CLI--jsonflag so JSON output is clean. Previously,consola.success()and other log messages leaked into stdout alongside the JSON data, making it unparseable by scripts. Log messages now go to stderr when--jsonis set. -
#83
38af118Thanks @antoineVIVIES! - Sanitize WordPress post type slugs during import. Fixes crashes when importing sites using plugins (Elementor, WooCommerce, ACF, etc.) that register post types with hyphens, uppercase letters, or other characters invalid in EmDash collection slugs. Reserved collection slugs are prefixed withwp_to avoid conflicts. -
Updated dependencies [
12d73ff,422018a,9269759,71744fb,018be7f,9d10d27,d211452,ab21f29,bfcda12,5f448d1]:- @emdash-cms/admin@0.1.1
- @emdash-cms/auth@0.1.1
0.1.0
Minor Changes
Patch Changes
- Updated dependencies [
755b501]:- @emdash-cms/admin@0.1.0
- @emdash-cms/auth@0.1.0
- @emdash-cms/gutenberg-to-portable-text@0.1.0
0.0.3
Patch Changes
-
#8
3c319edThanks @ascorbic! - Fix crash on fresh deployments when the first request hits a public page before setup has run. The middleware now detects an empty database and redirects to the setup wizard instead of letting template helpers query missing tables. -
Updated dependencies [
3c319ed]:- @emdash-cms/admin@0.0.2