emdash releases

Minor Changes

• #1057 c0ce915 Thanks @ascorbic! - BREAKING: Removes the atprotoPlugin named export and the factory call shape. Import the default export and pass it directly into plugins: or sandboxed:.

  - import { atprotoPlugin } from "@emdash-cms/plugin-atproto";
  + import atproto from "@emdash-cms/plugin-atproto";
  
    export default defineConfig({
    	integrations: [
    		emdash({
  - 			sandboxed: [atprotoPlugin()],
  + 			sandboxed: [atproto],
    		}),
    	],
    });
  

  Two changes: drop the { } around the import, and drop the () after the plugin name. Per-install configuration moved to the admin UI's settings (KV-backed) when the sandboxed plugin redesign landed, so there's no longer a need for a factory call.

Patch Changes

• Updated dependencies [6e62b90, c0ce915, 23597d0, 883b75b, 05440b1, 94fb50b, 0d5843f, 0cd8c6d, 878a0b6, 121f173, f4a9711, dbaea9c, 5681eb2, ed917d9, 6e62b90]:
  • [email protected]

Minor Changes

• #1057 c0ce915 Thanks @ascorbic! - BREAKING: Removes the webhookNotifierPlugin named export and the factory call shape. Import the default export and pass it directly into plugins: or sandboxed:.

  - import { webhookNotifierPlugin } from "@emdash-cms/plugin-webhook-notifier";
  + import webhookNotifier from "@emdash-cms/plugin-webhook-notifier";
  
    export default defineConfig({
    	integrations: [
    		emdash({
  - 			sandboxed: [webhookNotifierPlugin()],
  + 			sandboxed: [webhookNotifier],
    		}),
    	],
    });
  

  Two changes: drop the { } around the import, and drop the () after the plugin name. Per-install configuration moved to the admin UI's settings (KV-backed) when the sandboxed plugin redesign landed, so there's no longer a need for a factory call.

Patch Changes

• Updated dependencies [6e62b90, c0ce915, 23597d0, 883b75b, 05440b1, 94fb50b, 0d5843f, 0cd8c6d, 878a0b6, 121f173, f4a9711, dbaea9c, 5681eb2, ed917d9, 6e62b90]:
  • [email protected]

Minor Changes

• #1057 c0ce915 Thanks @ascorbic! - BREAKING: Removes the auditLogPlugin named export and the factory call shape. Import the default export and pass it directly into plugins: or sandboxed:.

  - import { auditLogPlugin } from "@emdash-cms/plugin-audit-log";
  + import auditLog from "@emdash-cms/plugin-audit-log";
  
    export default defineConfig({
    	integrations: [
    		emdash({
  - 			plugins: [auditLogPlugin()],
  + 			plugins: [auditLog],
    		}),
    	],
    });
  

  Two changes: drop the { } around the import, and drop the () after the plugin name. Per-install configuration moved to the admin UI's settings (KV-backed) when the sandboxed plugin redesign landed, so there's no longer a need for a factory call.

Patch Changes

• Updated dependencies [6e62b90, c0ce915, 23597d0, 883b75b, 05440b1, 94fb50b, 0d5843f, 0cd8c6d, 878a0b6, 121f173, f4a9711, dbaea9c, 5681eb2, ed917d9, 6e62b90]:
  • [email protected]

Minor Changes

• #1057 c0ce915 Thanks @ascorbic! - BREAKING (plugin authors): Reworks how sandboxed plugins are defined. The definePlugin() helper is removed for sandboxed-format plugins; the new shape is a bare default export with a satisfies SandboxedPlugin annotation. A new type-only subpath emdash/plugin provides the types.

  This affects anyone writing a sandboxed plugin. Sites that use plugins are unaffected (see the per-plugin changesets for the import-shape change in published plugins).

  - import { definePlugin, type ContentHookEvent, type PluginContext } from "emdash";
  + import type { SandboxedPlugin } from "emdash/plugin";
  
  - export default definePlugin({
  + export default {
       hooks: {
           "content:beforeSave": {
  -			handler: async (event: ContentHookEvent, ctx: PluginContext) => {
  +			handler: async (event, ctx) => {
                   // ...
                   return event.content;
               },
           },
       },
  - });
  + } satisfies SandboxedPlugin;
  

  Three changes:

  1. Drop import { definePlugin } from "emdash" and the definePlugin(...) wrapping call. Sandboxed plugins now default-export the bare object.
  2. import type { SandboxedPlugin } from "emdash/plugin" and add satisfies SandboxedPlugin to the default export. The emdash/plugin subpath is type-only — the bundler erases the import, so no runtime resolution of emdash is needed (and the heavy emdash runtime no longer enters the plugin bundle).
  3. Drop handler parameter annotations like event: ContentSaveEvent, ctx: PluginContext. The strict mapped type on SandboxedPlugin infers them per hook name, with the full canonical event type. If you need to reference an event type by name (e.g. in a helper function), emdash/plugin re-exports them: import type { ContentHookEvent, PluginContext } from "emdash/plugin".

  Why: the old definePlugin was an identity function whose only job was to alias emdash to a Proxy shim at build time so the import would resolve. With the new shape, sandboxed plugins have no runtime emdash import — only type-only imports from emdash/plugin. The bundler doesn't need to alias anything; the build pipeline is simpler; and authors get strict per-hook event/return type inference for free.

  The trade-off: previously you could narrow an event type locally (e.g. interface ContentSaveEvent { content: ... & { id: string } }). Under the strict mapped type, the canonical event type wins (TypeScript's contravariance on function parameters means narrowing isn't assignable). Authors validate fields at runtime with typeof / isRecord checks instead — which is the right pattern for input that comes from outside the type system anyway.

  Routes follow the same simplification. The two-arg (routeCtx, ctx) shape is unchanged; only the annotations disappear:

  export default {
  	routes: {
  		health: async (routeCtx, ctx) => {
  			// routeCtx: SandboxedRouteContext, ctx: PluginContext — both inferred.
  			return new Response("ok");
  		},
  	},
  } satisfies SandboxedPlugin;
  

  SandboxedRouteContext exposes { input, request, requestMeta? }. request is typed as SandboxedRequest — a { url, method, headers } record that's portable across in-process and isolate execution (Worker Loader can't pass real Request objects across the boundary).

  Native plugins are unaffected. This change applies only to sandboxed-format plugins. Native plugins continue to use definePlugin() from emdash and the existing PluginDefinition shape.

  Type rename: SandboxedPlugin on the emdash package now refers to the new author-facing source-shape type. The runtime-side handle type (returned by SandboxRunner.load, held in the runtime's plugin cache) is renamed to SandboxedPluginInstance. If you import SandboxedPlugin from emdash to type a sandbox runner implementation or hold runtime plugin handles, update those imports to SandboxedPluginInstance. Public consumers of this type are mostly limited to @emdash-cms/cloudflare and other sandbox runner adapters; standard plugin / site code is unaffected.

  Removed types: StandardPluginDefinition, StandardHookHandler, StandardHookEntry, StandardRouteHandler, StandardRouteEntry are no longer exported from emdash. These were authoring-helper aliases under the old permissive definePlugin standard overload. Use SandboxedPlugin from emdash/plugin for the same purpose under the new shape.

  Removed function: isStandardPluginDefinition is gone. There's no equivalent — sandboxed plugins are identified by structure ({ hooks?, routes? }) and you should treat the default export as already typed via satisfies SandboxedPlugin.

• #1052 0d5843f Thanks @Rimander! - Fixes menu REST API consistency:

  • POST /menus/:name/items no longer accepts unknown keys silently. Sending custom_url (snake_case) or url used to return 201 with custom_url: null because Zod's default .strip() quietly dropped them. The schemas now use .strict() and return 400 VALIDATION_ERROR with Unrecognized key: "custom_url". The documented camelCase keys (customUrl, sortOrder, referenceCollection, etc.) are unchanged and persist as before. The type field is now validated against the canonical enum ("custom" | "page" | "post" | "taxonomy" | "collection"); previously any string passed.
  • Moves per-item writes to PUT and DELETE /menus/:name/items/:id (path-style). Every other EmDash resource (content, taxonomies, redirects, sections, widget-areas) addresses items by URL path; menus were the lone outlier requiring ?id=<id> in the query string. The legacy query-string form is removed (it was undocumented and only used by the admin, which is updated in this PR). Callers should use PUT /menus/:name/items/:id / DELETE /menus/:name/items/:id.
  • Menu and menu-item API responses are now camelCase, aligning with the rest of EmDash's REST surface (content, taxonomies, redirects, …). created_at → createdAt, updated_at → updatedAt, menu_id → menuId, parent_id → parentId, sort_order → sortOrder, reference_collection → referenceCollection, reference_id → referenceId, custom_url → customUrl, title_attr → titleAttr, css_classes → cssClasses, translation_group → translationGroup. Breaking for direct REST consumers that depend on snake_case keys in the response body. The admin UI is already updated.
  • Refactors menus to the standard repository pattern. Adds MenuRepository next to ContentRepository, TaxonomyRepository, RedirectRepository, MediaRepository, CommentRepository. Handlers become thin orchestrators; the repository is now the single place where snake_case rows become camelCase entities.

  These changes do not touch any database schema or migration. Existing data is preserved.

• #1011 dbaea9c Thanks @ascorbic! - Adds experimental support for the decentralized plugin registry (see RFC #694). Configure with experimental.registry.aggregatorUrl in astro.config.mjs; the admin UI then uses the registry instead of the centralized marketplace for browse and install. Marketplace behavior is unchanged when the option is not set.

  The experimental config accepts a policy.minimumReleaseAge duration (e.g. "48h") that holds back releases below that age from install and update prompts, with a policy.minimumReleaseAgeExclude allowlist for trusted publishers or specific packages. The minimum-release-age check is enforced both client-side (for UX) and server-side (in the install endpoint), so stale browser tabs and deep links still hit the gate.

Patch Changes

• #1076 6e62b90 Thanks @ascorbic! - Fixes spurious TypeScript errors in strict projects that consume EmDash. Several subpaths (emdash/routes/*, emdash/api/route-utils, emdash/api/schemas, emdash/auth/providers/github, emdash/auth/providers/google) previously shipped raw source, so your tsc and editor type-checked EmDash's internals against your config and could report errors that weren't yours. These now ship compiled type declarations instead. The *-admin providers and emdash/ui stay source because they bridge the admin React/Astro runtime your own build processes. Import paths and runtime behaviour are unchanged.

• #1086 23597d0 Thanks @ascorbic! - Fixes silent data loss in migration 036 on Cloudflare D1 (#1021). D1 ignores PRAGMA foreign_keys = OFF and its replacement defer_foreign_keys only defers constraint validation, it doesn't suppress CASCADE actions, so dropping any table during the i18n rebuild fired its child cascades. Three FK relationships were affected:

  • content_taxonomies.taxonomy_id -> taxonomies(id) ON DELETE CASCADE wiped all post-taxonomy associations.
  • taxonomies.parent_id -> taxonomies(id) ON DELETE SET NULL flattened taxonomy hierarchies.
  • _emdash_menu_items.menu_id -> _emdash_menus(id) ON DELETE CASCADE wiped every menu item on the install (along with parent_id -> _emdash_menu_items(id) ON DELETE CASCADE mopping up nested items).

  The migration now physically removes those FK relationships before any drop. content_taxonomies and _emdash_menu_items are rebuilt without their parent FKs as the first steps of up(), and the new taxonomies self-FK targets its temporary name (taxonomies_new) which SQLite rebinds on RENAME. The FKs from migration 005 on _emdash_menu_items are not restored on rollback either: the runtime always deleted child rows explicitly, so the cascade was redundant and reinstating it would only re-create the #1021 hazard on any future migration that drops _emdash_menus. Rollback also refuses to run when content_taxonomies has rows referencing translation groups with no surviving taxonomies row, surfacing dangling data before any destructive work, and the idx_content_taxonomies_term index from migration 015 is restored after each rebuild.

  This is forward-fix only. Installs that already lost data when running 036 will need to restore from D1 Time Travel.

• #1088 883b75b Thanks @MA2153! - Fixes EmDashClient.terms() returning { terms } instead of { items }, which caused page.items to be undefined for any caller that iterated the result. The API handler returns { terms: TermWithCount[] } but the client was typed and advertised as ListResult<Term> — the key name mismatch is now mapped correctly.

• #751 05440b1 Thanks @edrpls! - Fix the admin collection list pagination denominator so it no longer grows in increments of 5 as the user pages forward.

  The GET /_emdash/api/content/{collection} response now includes a total field with the full filtered row count (independent of limit). The admin uses it as the pagination denominator, so a 143-entry collection reads 1/8 on page 1 instead of 1/5 → 5/10 → 10/15 → … as successive API pages load.

  The total field is optional; pre-upgrade clients that ignore it still work, and the admin falls back to the loaded-item count when an older server doesn't return it.

  Also handles the edge case where the current page exceeds totalPages after filtering or deletion — the admin clamps the active page so the table doesn't render empty while waiting for a refetch.

• #1000 94fb50b Thanks @ask-bonk! - Fixes invite passkey registration behind a TLS-terminating reverse proxy. The invite register-options endpoint now resolves the public origin via getPublicOrigin(url, emdash.config) before calling getPasskeyConfig, matching every other passkey endpoint. Previously the WebAuthn RP ID fell back to url.hostname (e.g. localhost), causing the browser to reject the registration with "Security error" when the public origin differed from the upstream host.

• #1013 0cd8c6d Thanks @ascorbic! - Fixes the slash command menu's initial selection getting overridden when the menu opens under a stationary pointer. The menu items previously reacted to mouseenter unconditionally, so an item rendered beneath the cursor would steal selection from the keyboard default before any user interaction. Mouse-hover-selects still works, but only after the user actually moves the pointer over the menu.

• #1087 878a0b6 Thanks @ascorbic! - Fixes two data-loss bugs in the WordPress WXR import path (admin UI Settings, Import, WordPress, i.e. POST /_emdash/api/import/wordpress/execute).

  Per-post taxonomy assignments parsed from <wp:category>, <wp:tag>, <wp:term>, and per-item <category domain="..."> blocks (#1061) are now persisted. The HTTP execute handler previously extracted this data and silently discarded it before any taxonomy or pivot rows were written. Terms are created idempotently in EmDash's seeded category and tag taxonomies; custom taxonomies such as genre are matched against existing EmDash definitions via the runtime's locale fallback chain (resolveLocaleChain), so imports against a non-default-locale site reuse defs seeded at the default locale instead of false-failing. Unknown custom taxonomies surface in a new result.taxonomies.missingTaxonomies field instead of being silently dropped, so the admin can prompt the user to create the missing definition. Assignments respect each taxonomy definition's collections array.

  WPML and Polylang translations (#1080) are now imported under their own per-post locale and linked via translation_group. Previously the entire upload shared one config.locale and the second post of any translation pair was rejected by the UNIQUE(slug, locale) constraint introduced in migration 019. The parser promotes per-post locale from _icl_lang_code (WPML), trid (WPML's translation group id), _locale (Polylang), the language taxonomy, or _translations postmeta. Terms are mirrored into each translation's locale so per-locale lookups (getTermsForEntry(..., locale)) resolve correctly on every translation row. Per-translation taxonomy assignments override anchor-inherited ones per-taxonomy when the translator picked different terms, matching WPML "Translate Independently" mode. Taxonomies the translation did not touch keep their inherited assignments, matching WPML "Sync" mode and Polylang's default.

  Adds result.taxonomies to the import response (additive). Existing consumers continue to work unchanged.

  Scope note: this fixes the HTTP import path, which is what the admin UI calls. The standalone emdash import wordpress CLI command writes JSON files to disk and has its own slug-only output path that does not carry locale, so it can still clobber two translations with the same post_name. That is a separate fix and not addressed here.

• #768 121f173 Thanks @ask-bonk! - Fixes SQLITE_CORRUPT_VTAB (database disk image is malformed) when editing or publishing content on collections that have search enabled, and on restore-from-trash, permanent-delete, and edit-while-trashed flows.

  The FTS5 sync triggers used the contentless-table form (DELETE FROM fts WHERE rowid = OLD.rowid) on what is actually an external-content FTS5 table. After an UPDATE on ec_<collection>, FTS5 then read NEW column values from the (already updated) content table while trying to remove OLD tokens from the inverted index, drifting the index out of sync until SQLite refused further reads. Rewrites the triggers to use the documented external-content-safe INSERT INTO fts(fts, rowid, ...) VALUES('delete', OLD.rowid, OLD.col1, ...) pattern, gated on OLD.deleted_at IS NULL so we don't try to remove rows that were never indexed (which would itself raise SQLITE_CORRUPT_VTAB on restore-from-trash and permanent-delete).

  Adds migration 039_fix_fts5_triggers that rebuilds the FTS index for every search-enabled collection on upgrade, replacing the broken triggers and recovering from any latent index corruption left behind by earlier mutations. The migration runs once at startup before the first request can hit the affected paths, so upgrading sites get the fix on their next deploy without depending on a search-endpoint visit to trigger lazy auto-repair.

• #1077 f4a9711 Thanks @ascorbic! - Fixes Astro.locals.emdash typing. The shipped type declaration referenced a build artifact that does not exist, so locals.emdash silently fell back to any in every EmDash site — losing autocomplete and type-checking on the handlers API in your pages and endpoints. It is now correctly typed as EmDashHandlers.

• #1019 5681eb2 Thanks @ascorbic! - Fixes a Zod type-incompatibility between trusted plugins and core. Without a workspace-level pin, emdash's zod: ^4.3.5 could resolve to a different patch than Astro's bundled Zod, and Zod 4 embeds the version in the type — so schemas imported via astro/zod in trusted plugins (e.g. @emdash-cms/plugin-forms) were not assignable to definePlugin's PluginRoute<TInput>['input']. Pins Zod in the pnpm catalog so the entire workspace dedupes on one instance.

• #1074 ed917d9 Thanks @ascorbic! - Fixes stored config sharing when the runtime module is loaded as both compiled dist and raw src in the same process (Vite SSR / dual-package). The integration config is now keyed on a global Symbol.for registry entry instead of a typed globalThis var, matching the existing isolate-singleton pattern, so getStoredConfig() resolves consistently across both module copies.

• #1076 6e62b90 Thanks @ascorbic! - Fixes a type error in the shipped WordPress-plugin import source: the analyze-endpoint error body from response.json() is unknown under @cloudflare/workers-types and was read without narrowing. This file ships as raw source via the emdash/routes/* export, so the error surfaced in strict consumer typechecks (issue #1053). The body is now typed before .message is read; runtime behaviour is unchanged.

• Updated dependencies [05440b1, 484e7ab, 0d5843f, 0cd8c6d, d014b48, dbaea9c, 5681eb2]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #991 dc44989 Thanks @ascorbic! - Fixes TypeError crash on all content mutation API routes when Astro's cache API is not available. The cache context parameter is undefined when the cache feature is not enabled, causing cache.enabled to throw. All 11 call sites now use optional chaining (cache?.enabled).

• Updated dependencies []:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Patch Changes

• Updated dependencies [f8ee1ed, 27e6d58, 4c11017, f1d4c0b, 7c536e5, d273e9a, 514d32d, 8116949, c4ee7ad]:
  • @emdash-cms/[email protected]
  • [email protected]

Minor Changes

• #978 27e6d58 Thanks @ascorbic! - Enforces the sandboxed plugin bundle size caps from RFC 0001 §"Bundle size limits" in both the bundle and publish CLI flows: total decompressed ≤ 256 KB, per-file decompressed ≤ 128 KB, and at most 20 files per bundle. The previous bundle command capped only the total at 5 MB; the publish command now also re-validates the decompressed tarball before signing the release record so a publisher hits the same cap locally that aggregators enforce at ingest. Bundles between 256 KB and the old 5 MB ceiling will now be rejected — usually a sign the plugin is bundling host-provided dependencies or assets that belong in a CDN rather than the plugin payload.

• #942 7c536e5 Thanks @MA2153! - Adds per-field allowed MIME types for file and image fields. Field-level allowedTypes is now honored end-to-end: it filters the media picker, widens upload acceptance for that field (so e.g. a zip-only field can accept zip uploads even though the global allowlist excludes them), and validates referenced media against the destination field on content save. The schema editor in admin gains an "Allowed types" control with curated presets and freeform entry.

  Behavior change: the image builder's allowedTypes option was previously accepted but read by nothing. It is now load-bearing — a code-first schema that already passed allowedTypes (e.g. ["image/png"]) will now actually narrow the picker and gate uploads. Most users will see no change; if you set this option intending the old (silent) behavior, drop it.

  Behavior change: updating a field via the admin schema editor now explicitly clears its validation when the form contains no validation settings, instead of leaving an existing validation value intact. This only affects fields with pre-existing validation that is not expressible in the editor UI.

Patch Changes

• #893 f8ee1ed Thanks @j-liszt! - Enhances Passkey authentication with polymorphic algorithm support. Adds support for RS256 (RSA) alongside the existing ES256 (ECDSA) implementation, ensuring full compatibility with Windows Hello, hardware security keys, and FIDO2 standards. Includes a database migration to track and persist credential algorithms for future-proof authentication.

  Note for standalone @emdash-cms/auth consumers: If your credentials table already exists, you must manually run ALTER TABLE credentials ADD COLUMN algorithm INTEGER NOT NULL DEFAULT -7 to support this update. The DEFAULT -7 value ensures that existing rows (which are all ES256) continue to work seamlessly without requiring any data backfill.

• #976 4c11017 Thanks @ask-bonk! - Fixes migration 016_api_tokens failing with table "_emdash_api_tokens" already exists after a partially-applied previous attempt. If up() crashed mid-way (D1 subrequest limit, isolate cancellation, transient connection error), the migration record never got recorded and Kysely re-ran the migration from the top on the next request, blocking every subsequent boot. up() now uses IF NOT EXISTS on every CREATE so a retry skips already-applied steps and finishes the remainder. Resolves the "table already exists" error reported on fresh Cloudflare Workers + D1 deploys.

• #939 f1d4c0b Thanks @schiste! - Make the MCP menu write tools locale-aware by exposing locale on menu_create,
  menu_update, menu_delete, and menu_set_items, exposing translationOf on
  menu_create, and teaching handleMenuSetItems() to target the requested locale
  and tag inserted menu items with that menu's locale.

  All seven menu-name lookups (handleMenuUpdate, handleMenuDelete,
  handleMenuSetItems, handleMenuItemCreate, handleMenuItemUpdate,
  handleMenuItemDelete, handleMenuItemReorder) now fail loud with the new
  AMBIGUOUS_LOCALE error code (HTTP 400) when called with a name that exists
  in multiple locales and no locale is provided. Previously the lookup silently
  picked an arbitrary translation, which could rewrite or delete the wrong
  locale's menu on multi-locale installs. The error message lists the available
  locales so callers can recover. Single-locale installs and callers that already
  pass locale are unaffected.

  The translationOf → locale requirement is now enforced inside
  handleMenuCreate (returns VALIDATION_ERROR), so REST/SDK callers get the
  same guard the MCP boundary already provided.

• d273e9a Thanks @ascorbic! - Refactors the plugin manifest types to re-export from @emdash-cms/plugin-types. The capability vocabulary (PluginCapability, CAPABILITY_RENAMES, normalizeCapability, isDeprecatedCapability) and manifest shape (ManifestHookEntry, ManifestRouteEntry, PluginStorageConfig, StorageCollectionConfig) now live in the shared package so the registry CLI can write the same types core reads. Existing imports from emdash's plugin types module continue to work unchanged.

• #943 514d32d Thanks @Rimander! - Fixes seed menu items losing their translation_group across export/apply by adding optional id, locale, and translationOf fields to SeedMenuItem. The export emits stable seed IDs and translationOf references; the apply resolves them to the anchor's translation_group, matching the existing pattern for content entries, taxonomies, and terms.

• #948 8116949 Thanks @ascorbic! - Adds always-on db.* and cache.* Server-Timing fields so render-phase performance is diagnosable in production. Each request now emits db.total (cumulative DB ms), db.count (query count), db.first / db.last (first/last query offset from request start), and cache.hit / cache.miss (request-scoped cache stats). The Kysely log hook is now always installed so counters work without setting EMDASH_QUERY_LOG.

• #946 c4ee7ad Thanks @LeanderG! - Fixes Postgres rate-limit queries by quoting the reserved window column name.

• Updated dependencies [7f6b6ea, 131bea6, f8ee1ed, 54b5aa1, c630e31, 7c536e5, 7aa1897, 943df46, 0b8a319, 13ff061, 49b66d9, 1b2fa77, 530b013, af15975, a4968c1, f80fb58]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #923 943df46 Thanks @ascorbic! - Adds @emdash-cms/registry-client: atproto-aware client for the EmDash plugin registry. Three independent layers — credential storage (filesystem / env-vars / in-memory), publisher repo operations, and discovery against an aggregator. EXPERIMENTAL — pin to an exact version while RFC 0001 is in flight.

• Updated dependencies [5464b55, 943df46]:

  • @emdash-cms/[email protected]

Patch Changes

• Updated dependencies [f8ee1ed, 27e6d58, 4c11017, f1d4c0b, 7c536e5, d273e9a, 514d32d, 8116949, c4ee7ad]:
  • [email protected]

Patch Changes

• Updated dependencies [f8ee1ed, 27e6d58, 4c11017, f1d4c0b, 7c536e5, d273e9a, 514d32d, 8116949, c4ee7ad]:
  • [email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #983 06d5f3f Thanks @ppppangu! - Fix embedded forms so public rendering accepts the API response envelope returned by the form definition route.

• Updated dependencies [f8ee1ed, 27e6d58, 4c11017, f1d4c0b, 7c536e5, d273e9a, 514d32d, 8116949, c4ee7ad]:

  • [email protected]

Minor Changes

• #978 27e6d58 Thanks @ascorbic! - Enforces the sandboxed plugin bundle size caps from RFC 0001 §"Bundle size limits" in both the bundle and publish CLI flows: total decompressed ≤ 256 KB, per-file decompressed ≤ 128 KB, and at most 20 files per bundle. The previous bundle command capped only the total at 5 MB; the publish command now also re-validates the decompressed tarball before signing the release record so a publisher hits the same cap locally that aggregators enforce at ingest. Bundles between 256 KB and the old 5 MB ceiling will now be rejected — usually a sign the plugin is bundling host-provided dependencies or assets that belong in a CDN rather than the plugin payload.

Patch Changes

• #929 5464b55 Thanks @ascorbic! - Fixes the CLI hanging indefinitely after a successful login or logout. run() was returning correctly, but something in the OAuth path left a ref'd handle alive that prevented Node's event loop from draining. Workaround: force-exit at the top level once runMain resolves. The underlying handle leak is unidentified.

• #929 5464b55 Thanks @ascorbic! - Switches the login flow to request granular OAuth scopes derived from the @emdash-cms/registry-lexicons lexicon set instead of the broad transition:generic: repo: for every record-shaped lexicon (package profile, package release, publisher profile, publisher verification) and rpc:<nsid>?aud=* for every aggregator query (getLatestRelease, getPackage, listReleases, resolvePackage, searchPackages). Display name resolution no longer goes through com.atproto.server.getSession; the handle is read from the DID document via LocalActorResolver so the CLI doesn't need an rpc:com.atproto.* scope and isn't affected by PDS-side DPoP/Bearer compatibility quirks. If the PDS rejects the granular scopes with invalid_scope, login automatically retries once with transition:generic and prints a notice. Existing sessions continue working with their original scope until they're revoked or re-issued.

• #929 5464b55 Thanks @ascorbic! - Improves login error reporting for OAuth response failures. Previously, transient PDS errors surfaced as a bare unknown_error with a stack trace; the CLI now prints the HTTP status, endpoint, OAuth error code/description, a body snippet when the response wasn't OAuth-shaped JSON, and a hint to retry on 5xx responses.

• #923 943df46 Thanks @ascorbic! - Adds @emdash-cms/registry-cli: standalone CLI for the experimental plugin registry. Subcommands for login, logout, whoami, switch, search, info, bundle, and publish. Atproto OAuth via loopback callback server. The publish flow fetches the tarball from the URL, verifies a sha256 multihash, extracts and validates manifest.json, locally validates each lexicon record, and atomically writes profile + release records (with the EmDash declaredAccess trust extension) via a single atproto applyWrites. Distributes via npx @emdash-cms/registry-cli to keep atproto deps out of the core CMS install.

• Updated dependencies [943df46, 943df46, 5464b55, 943df46]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Minor Changes

• #929 5464b55 Thanks @ascorbic! - Adds RECORD_NSIDS and QUERY_NSIDS const arrays alongside the existing NSID map. They enumerate the record-shaped and query-shaped lexicons in this package so consumers (e.g. tooling that builds OAuth repo: / rpc: scopes) can derive their list from the lexicon set instead of hand-rolling one that drifts.

Patch Changes

• #923 943df46 Thanks @ascorbic! - Adds @emdash-cms/registry-lexicons: generated TypeScript types and runtime validation schemas for the EmDash plugin registry lexicons (com.emdashcms.experimental.*). EXPERIMENTAL — NSIDs and shapes will change while RFC 0001 is in flight; pin to an exact version.

Minor Changes

• #942 7c536e5 Thanks @MA2153! - Adds per-field allowed MIME types for file and image fields. Field-level allowedTypes is now honored end-to-end: it filters the media picker, widens upload acceptance for that field (so e.g. a zip-only field can accept zip uploads even though the global allowlist excludes them), and validates referenced media against the destination field on content save. The schema editor in admin gains an "Allowed types" control with curated presets and freeform entry.

  Behavior change: the image builder's allowedTypes option was previously accepted but read by nothing. It is now load-bearing — a code-first schema that already passed allowedTypes (e.g. ["image/png"]) will now actually narrow the picker and gate uploads. Most users will see no change; if you set this option intending the old (silent) behavior, drop it.

  Behavior change: updating a field via the admin schema editor now explicitly clears its validation when the form contains no validation settings, instead of leaving an existing validation value intact. This only affects fields with pre-existing validation that is not expressible in the editor UI.

• #921 530b013 Thanks @jcheese1! - Adds table support to the PortableText editor. Users can now insert and edit tables via the slash command menu (/table) or toolbar button. Tables support header rows, column/row insertion and deletion, and include a bubble menu for quick editing.

Patch Changes

• #958 7f6b6ea Thanks @ascorbic! - Fixes admin lists, tables and info cards rendering as transparent against the page background. Card containers in the content list, content type list, content type editor, media library, comments, users and device authorization views now have an explicit bg-kumo-base surface so they're visually distinct from the body.

  Also fixes column header labels in content list tables ("Title", "Status", etc.) rendering pale because of an undefined Tailwind class (text-kumo-fg) -- they now use the default text color and rely on the sort indicator icon to signal active state.

• #952 131bea6 Thanks @ascorbic! - Replaces 20 raw <input type="checkbox"> elements across the admin UI with Kumo's Switch and Checkbox components. Single-boolean toggles (SEO, Enable comments, Required, etc.) become Switch; multi-select / list-context checkboxes (collection multi-select, term tree nodes) become Checkbox. Drops manual styling and label markup that duplicated what the Kumo components provide built-in.

• #956 54b5aa1 Thanks @CacheMeOwside! - Fixes broken checkboxes on the comments moderation page (/_emdash/admin/comments). Selecting a comment threw a JavaScript error and did not select the row.

• #934 c630e31 Thanks @ascorbic! - Fixes button and link inconsistencies across the admin UI. Standardises on Kumo's Button icon prop and LinkButton (with external for new-tab links) instead of manual icon spacing and raw anchor styling, removes a <Link><Button> invalid HTML nesting in the plugin manager, and translates two stray English strings in the user list empty state.

• #949 7aa1897 Thanks @ascorbic! - Fixes invalid <a><button> HTML produced by <Link><Button>...</Button></Link> patterns across the admin UI. Introduces a RouterLinkButton component that wraps TanStack Router's <Link> with Kumo button styling (variant, size, shape, icon props), and migrates all existing <Link className={buttonVariants(...)}> usages to use it. Extracts the duplicated "Back to settings" header link into a shared BackToSettingsLink component.

• #940 0b8a319 Thanks @ascorbic! - Fixes the long tail of untranslated English strings in the admin UI: settings panels, marketplace, sandboxed-plugin host, auth flows, taxonomy/menu management, and lib/api fallback messages. After this PR, EmDash admin UI is fully localizable across all known surfaces.

• #957 13ff061 Thanks @ascorbic! - Fixes the OG image picker in the content editor only appearing for collections with a field literally named featured_image. The OG image control now lives in the SEO sidebar panel alongside the other SEO fields, so any collection with seo enabled can set a social preview image regardless of whether it has a featured image field.

• #955 49b66d9 Thanks @ascorbic! - Removes the sticky editor header from content / content-type / section / settings pages. The sticky implementation had transparency artifacts (backdrop-blur over varied content), layout fragility (negative margins canceling parent padding), z-index conflicts with the app bar, and ~85px of permanent vertical chrome. Each editor now renders a Save button at the bottom of the form so users can save without scrolling back to the top header. The distraction-free hover-overlay header in the content editor is preserved.

• #966 1b2fa77 Thanks @ahliweb! - i18n(id): complete Indonesian translation (320 strings)

• #937 af15975 Thanks @ascorbic! - Fixes ~250 untranslated English strings in the admin UI's most-used screens (router toasts, content type editor, widgets, byline and user routes, invite-accept flow, portable text editor toolbar, image and embed editor nodes, user list). All title=, aria-label=, placeholder=, and toast messages in these areas now flow through Lingui.

• #950 a4968c1 Thanks @ascorbic! - Replaces raw <select> and <input type="search"> elements across the admin UI with Kumo's Select and Input components. This gives consistent styling, proper focus rings, accessibility (label association via the Field wrapper), and dark-mode handling for free instead of relying on hand-rolled Tailwind classes that bypassed the design system.

• #973 f80fb58 Thanks @ahliweb! - Translates the remaining untranslated string in the Indonesian locale, bringing it to 100% coverage.

• Updated dependencies []:

  • @emdash-cms/[email protected]

Patch Changes

• #893 f8ee1ed Thanks @j-liszt! - Enhances Passkey authentication with polymorphic algorithm support. Adds support for RS256 (RSA) alongside the existing ES256 (ECDSA) implementation, ensuring full compatibility with Windows Hello, hardware security keys, and FIDO2 standards. Includes a database migration to track and persist credential algorithms for future-proof authentication.

  Note for standalone @emdash-cms/auth consumers: If your credentials table already exists, you must manually run ALTER TABLE credentials ADD COLUMN algorithm INTEGER NOT NULL DEFAULT -7 to support this update. The DEFAULT -7 value ensures that existing rows (which are all ES256) continue to work seamlessly without requiring any data backfill.

Patch Changes

• #923 943df46 Thanks @ascorbic! - Adds @emdash-cms/plugin-types: shared TypeScript types for the EmDash plugin manifest contract — capability vocabulary (PluginCapability, CAPABILITY_RENAMES, isDeprecatedCapability, normalizeCapability), manifest shape (PluginManifest, ManifestHookEntry, ManifestRouteEntry, PluginAdminConfig, PluginStorageConfig). Consumed by both emdash (manifest reader at install/runtime) and @emdash-cms/registry-cli (manifest writer at bundle/publish time). After the registry phase 1 cutover removes the legacy bundling code from core, both sides will continue depending on this single source of truth.

Patch Changes

• #918 1e0cb76 Thanks @ascorbic! - Updates declared capabilities to the current names (content:read, content:write, media:read, media:write, network:request, network:request:unrestricted) instead of the deprecated aliases. Plugin descriptors now report the package's own version instead of a stale hard-coded literal.

• Updated dependencies [a2d3658, c8a3a2c, 699e1b3, 71f4e7d, 7e32092, 2e2b8e9, 9146931]:

  • [email protected]

Patch Changes

• #918 1e0cb76 Thanks @ascorbic! - Updates declared capabilities to the current names (content:read, content:write, media:read, media:write, network:request, network:request:unrestricted) instead of the deprecated aliases. Plugin descriptors now report the package's own version instead of a stale hard-coded literal.

• Updated dependencies [a2d3658, c8a3a2c, 699e1b3, 71f4e7d, 7e32092, 2e2b8e9, 9146931]:

  • [email protected]

Patch Changes

• #900 b3d1f40 Thanks @mvanhorn! - Fixes interactive Project name? prompt to accept . for the current directory. The flag-positional path already accepted . (validated by validateProjectName), but the prompt's inline regex check rejected it, so users running npm create emdash@latest with no arguments could not scaffold into the current directory. The prompt now uses validateProjectName directly for parity, and its message hints at the . option.

Patch Changes

• Updated dependencies [a2d3658, c8a3a2c, 699e1b3, 71f4e7d, 7e32092, 2e2b8e9, 9146931]:
  • [email protected]

Patch Changes

• Updated dependencies [a2d3658, c8a3a2c, 699e1b3, 71f4e7d, 5eb4318, 7e32092, 2e2b8e9, 9146931]:
  • [email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #918 1e0cb76 Thanks @ascorbic! - Updates declared capabilities to the current names (content:read, content:write, media:read, media:write, network:request, network:request:unrestricted) instead of the deprecated aliases. Plugin descriptors now report the package's own version instead of a stale hard-coded literal.

• Updated dependencies [a2d3658, c8a3a2c, 699e1b3, 71f4e7d, 7e32092, 2e2b8e9, 9146931]:

  • [email protected]

Patch Changes

• Updated dependencies [a2d3658, c8a3a2c, 699e1b3, 71f4e7d, 7e32092, 2e2b8e9, 9146931]:
  • [email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #912 c8a3a2c Thanks @lsngmin! - Permanent-delete API now refuses to remove live (non-trashed) rows and uses a content-domain content:delete_permanent permission instead of the unrelated import:execute. Existing audience (ADMIN-only) is unchanged.

Minor Changes

• #717 5eb4318 Thanks @lsngmin! - Add Tab block to Block Kit for tabbed panel layouts

Patch Changes

• #719 2e2b8e9 Thanks @ascorbic! - Fixes the file field type rendering as a plain text input in the content editor. Adds a FileFieldRenderer that opens the media picker (with mime filter disabled) so any file type can be attached. Also adds a hideUrlInput prop to MediaPickerModal so non-image pickers can hide the image-specific "Insert from URL" input.

  Aligns the Zod schema and generated TypeScript types for image and file fields with the shape the admin actually stores: provider?, meta? (for both), and previewUrl? (for image). Previously these fields were stripped on validation and missing from generated types, so site code could not reliably resolve local media URLs from meta.storageKey.

• Updated dependencies [5eb4318]:

  • @emdash-cms/[email protected]

Patch Changes

• #918 1e0cb76 Thanks @ascorbic! - Updates declared capabilities to the current names (content:read, content:write, media:read, media:write, network:request, network:request:unrestricted) instead of the deprecated aliases. Plugin descriptors now report the package's own version instead of a stale hard-coded literal.

• Updated dependencies [a2d3658, c8a3a2c, 699e1b3, 71f4e7d, 7e32092, 2e2b8e9, 9146931]:

  • [email protected]

Minor Changes

• #916 71f4e7d Thanks @Rimander! - Adds i18n support to menus and taxonomies (categories, tags, custom
  definitions), mirroring the per-locale model already in place for content.
  Each row carries locale and translation_group; translations of the
  same menu/term/def share a translation_group. _emdash_menu_items.reference_id
  and content_taxonomies.taxonomy_id are remapped to store the referenced
  row's translation_group, so a single association survives content
  translations and is resolved against the active locale at runtime.

  • Runtime helpers (getMenu, getTaxonomyTerms, getTerm, getEntryTerms,
    getAllTermsForEntries, …) accept an optional { locale } and honour the
    i18n fallback chain; when no locale is given they fall back to the
    request context and defaultLocale, matching getEmDashCollection /
    getEmDashEntry.
  • REST API: GET endpoints accept ?locale=xx; POST endpoints accept
    locale and translationOf in their bodies. New endpoints:
    GET/POST /_emdash/api/menus/:name/translations and
    GET/POST /_emdash/api/taxonomies/:name/terms/:slug/translations.
  • Creating a content translation now auto-copies the source's taxonomy
    assignments (the pivot is locale-agnostic, so the copied rows apply to
    the whole translation group).
  • MCP: taxonomy_list, taxonomy_list_terms, taxonomy_create_term,
    menu_list, menu_get accept locale. New tools:
    taxonomy_term_translations, menu_translations.
  • Admin: TaxonomyManager and MenuList surface a LocaleSwitcher when
    multiple locales are configured and thread the active locale through
    all API calls. TaxonomyManager exposes a "Translate" action per term
    that creates the translation and switches to the new locale.

  No breaking changes for new installs or single-locale upgrades — defaults
  are additive (locale defaults to 'en' when omitted, reproducing pre-i18n
  behaviour).

  ⚠️ Rolling back migration 036_i18n_menus_and_taxonomies is blocked
  on multi-locale installs. Dropping the locale column would collapse
  translated rows onto an ambiguous (name, slug) unique key, silently
  deleting content. The migration's down() now refuses to run when any
  row uses a non-default locale and prints the affected table in the
  error. If you need to revert, export translations first (or delete
  them), then re-run the rollback. Single-locale installs revert cleanly.

• #902 7e32092 Thanks @ascorbic! - emdash plugin init now prompts for the plugin format (sandboxed or native) when run interactively, and the scaffolded boilerplate matches the canonical patterns from the docs. Both formats now ship a dist/ build via tsdown, declare a sample storage collection, and demonstrate a hook plus an API route. The sandboxed entry uses an explicitly typed ContentSaveEvent; the native entry forwards options through createPlugin. The descriptor id is now derived from the slug instead of the full scoped package name, so scoped names like @org/my-plugin produce a runtime-valid id. Pass --format=sandboxed, --format=native, or --native to skip the prompt; non-TTY runs continue to default to sandboxed.

Patch Changes

• #701 a2d3658 Thanks @lsngmin! - Fixes MediaValue.src returning bare media ID instead of a usable URL for local media

• #912 c8a3a2c Thanks @lsngmin! - Permanent-delete API now refuses to remove live (non-trashed) rows and uses a content-domain content:delete_permanent permission instead of the unrelated import:execute. Existing audience (ADMIN-only) is unchanged.

• #896 699e1b3 Thanks @cristianuibar! - Fixes 500 error on GET /_emdash/api/dashboard when running on Cloudflare D1 with many title-bearing collections. fetchRecentItems now issues one query per collection in parallel and merges results in JS instead of building a single chained UNION ALL, which trips D1's SQLITE_LIMIT_COMPOUND_SELECT cap once enough collections are present (#895).

• #719 2e2b8e9 Thanks @ascorbic! - Fixes the file field type rendering as a plain text input in the content editor. Adds a FileFieldRenderer that opens the media picker (with mime filter disabled) so any file type can be attached. Also adds a hideUrlInput prop to MediaPickerModal so non-image pickers can hide the image-specific "Insert from URL" input.

  Aligns the Zod schema and generated TypeScript types for image and file fields with the shape the admin actually stores: provider?, meta? (for both), and previewUrl? (for image). Previously these fields were stripped on validation and missing from generated types, so site code could not reliably resolve local media URLs from meta.storageKey.

• #911 9146931 Thanks @masonjames! - Fixes WordPress media URL rewriting for imported image URLs that use generated size suffixes.

• Updated dependencies [c8a3a2c, 2e2b8e9]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Minor Changes

• #814 a838000 Thanks @arashackdev! - rtl srtyle improvements and LTR/RTL compatible arrow/caret icons

Patch Changes

• Updated dependencies [e2b3c6c, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:
  • [email protected]

Patch Changes

• Updated dependencies [e2b3c6c, 7b8d496, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, a838000, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:
  • [email protected]
  • @emdash-cms/[email protected]

Minor Changes

• #814 a838000 Thanks @arashackdev! - rtl srtyle improvements and LTR/RTL compatible arrow/caret icons

Patch Changes

• Updated dependencies [e2b3c6c, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:
  • [email protected]

Patch Changes

• #856 ef3f076 Thanks @ask-bonk! - Republishes with emdash as a peerDependency instead of a runtime dependency. The previously published 0.1.1 release pinned emdash to an ancient 0.1.1 as a hard dependency, which made npm install of any template that included this plugin (e.g. the blog template) install two copies of emdash side-by-side, or fail outright with ERESOLVE on stricter npm configurations (#819). The package source already declared the dependency correctly; this version simply ships the corrected package.json.

• Updated dependencies [e2b3c6c, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:

  • [email protected]

Patch Changes

• #734 cf1edae Thanks @huckabarry! - Fixes AT Protocol plugin setup by declaring the storage collection used by the sandbox implementation, normalizing pasted PDS URLs, and exposing the missing site name and publication sync controls in the admin page.

• Updated dependencies [493e317, 3eca9d5, 3eca9d5, 37ada52, 0557b62, 5a581d9, 0ecd3b4, 3138432, 70924cd, 1f0f6f2, 3eca9d5, e402890, 3eca9d5, f5658f0, 3eca9d5, 3eca9d5, b6cb2e6, 3eca9d5, cf1edae, b352e88, 31333dc, da3d065, 3eca9d5, 3eca9d5, 3eca9d5, 47978b5, 3eca9d5]:

  • [email protected]

Minor Changes

• #814 a838000 Thanks @arashackdev! - rtl srtyle improvements and LTR/RTL compatible arrow/caret icons

Patch Changes

• Updated dependencies [e2b3c6c, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:
  • [email protected]

Minor Changes

• #859 3015280 Thanks @ask-bonk! - Adds non-interactive mode to create-emdash for CI / scripted scaffolding (#711). Pass --template, --platform, --pm, --install/--no-install, --yes, and --force to skip prompts; partial flag use only prompts for unset fields. Interactive flow is unchanged when no flags are supplied.

  • --template <key> accepts a bare template (blog | starter | marketing | portfolio) or the combined form <platform>:<key> (e.g. cloudflare:blog).
  • --pm <key> (alias --package-manager) selects the package manager.
  • --yes / -y accepts defaults for any unset field (cloudflare, blog, detected pm, my-site for an unset name).
  • --force is required alongside --yes to overwrite a non-empty target directory; without it, the CLI refuses rather than silently clobbering files.
  • --help / -h prints usage. Unknown flags fail loudly so typos don't silently drop into interactive mode.
  • An extra positional argument (e.g. npm create emdash my blog with a space instead of a hyphen) is now rejected as a likely typo.

  No new dependencies — built on node:util's parseArgs.

• #811 cee403d Thanks @ascorbic! - Scaffolds a fresh EMDASH_ENCRYPTION_KEY into .dev.vars (Cloudflare
  templates) or .env (Node templates) on project creation, and ensures the
  file is gitignored. Idempotent — won't overwrite an existing key on re-runs.

Patch Changes

• #852 e73bb5f Thanks @ask-bonk! - Removes the "Blank" template from the npm create emdash picker. The minimal-content template is starter; the previously listed blank only existed for the Node.js path (never Cloudflare) and was confusing. Pick Starter for a minimal site on either platform.

• #869 a8bac5d Thanks @ask-bonk! - Fixes autosave validation errors on content seeded from the blog,
  portfolio, and starter templates (issue #867).

  Two related issues:

  • _key was strictly required on Portable Text blocks by the
    generated Zod schema, but the rest of the block schema is
    .passthrough() and the editor regenerates _key on every change,
    so requiring it on input rejected legitimate seed/import data
    without protecting any real invariant. _key is now optional in the
    validator.
  • The portfolio template shipped featured_image as bare URL strings.
    image fields validate as { id, ... } objects, so any user who
    edited a different field on a portfolio entry hit
    featured_image: expected object, received string. The portfolio
    seeds now use $media references in the same shape as the blog
    template, and every shipped template seed has stable _keys on its
    Portable Text nodes.

  A regression test runs every shipped template seed through the same
  validator the autosave endpoint uses, so future template changes that
  break this invariant fail before release.

Minor Changes

• #884 e2b3c6c Thanks @ascorbic! - Removes the worker-isolate manifest cache and stops loading the manifest on public requests.

  The admin manifest (collection schemas, plugins, taxonomies) is built fresh from the live database on every admin request via constant-shape queries (SchemaRegistry.listCollectionsWithFields() — one collection query plus one batched field query, chunked at the D1 bound-parameter limit; two queries in practice for typical sites), deduplicated within a single request by requestCached. Logged-out / public requests no longer touch it at all — the global middleware no longer pre-loads locals.emdashManifest. Admin routes that need it call await emdash.getManifest().

  This closes the cross-isolate staleness bug class behind #776, #873, #876, and #877 by elimination: there is no cache to invalidate, so there is nothing to fan out across warm sibling isolates on Cloudflare Workers, and there is nothing to leave stale after a fire-and-forget delete is cancelled at response-time.

  Breaking changes

  • locals.emdash.invalidateManifest is removed. The shim that survived earlier was a misnomer once the manifest cache itself was gone. Plugin code that called this after schema changes should switch to locals.emdash.invalidateUrlPatternCache (the only side effect that survived) — or drop the call entirely if the mutation didn't affect collection URL patterns (field/taxonomy/plugin mutations don't).
  • locals.emdashManifest is removed. Read it via await locals.emdash.getManifest() instead. The only in-tree consumers were the admin manifest endpoint and the WordPress importer routes, both updated.
  • EmDashRuntime.invalidateManifest() is removed. EmDashRuntime.getManifest() is preserved with the same signature; its body now skips the cache layer.

  Performance

  The admin manifest build is now O(1) query shapes (one for collections, one batched query for the fields of every returned collection, chunked at the D1 bound-parameter limit) instead of N+1. This is the cost the cache was hiding; the rebuild is cheap enough to run per request.

• #731 9dfc65c Thanks @drudge! - Adds a media_picker Block Kit element: a thumbnail preview with a modal library picker and mime-type filter. Usable in plugin block forms and in Block Kit field widgets. The stored value is the selected asset's URL string, so it is value-compatible with a plain text_input — existing content continues to work after swapping. The mime_type_filter is restricted to image MIME types (image/ or image/<subtype>); wildcards and non-image types are rejected.

• #809 e7df21f Thanks @ascorbic! - Adds an optional category field to PortableTextBlockConfig for plugin-contributed block types. Plugins can now choose how their blocks are grouped in the admin slash menu (e.g. "Sections", "Marketing", "Media", "Layout") instead of always falling under "Embeds". Existing plugins that omit the field continue to render under "Embeds" exactly as before.

• #890 8ae227c Thanks @ascorbic! - Adds publishedAt to content_publish (MCP and REST) and exposes seo, bylines, and publishedAt on the MCP content_update tool.

  content_publish now accepts an optional ISO 8601 publishedAt to backdate a publish, which is useful when migrating content from another CMS or correcting a historical publish date. The override requires the content:publish_any permission. Without it, the existing published_at is preserved on re-publish (idempotent) and falls back to the current time on first publish.

  The MCP content_update tool previously dropped seo, bylines, and publishedAt even though the underlying handler accepted them. Callers had to fall back to raw SQL against _emdash_seo and _emdash_content_bylines to set these fields. They now flow through the MCP tool and are persisted in the same transaction as field updates. Setting publishedAt requires content:publish_any, mirroring the REST PUT route. Closes #621 and #622.

• #800 e2d5d16 Thanks @csfalcao! - Adds support for accepting passkey assertions from multiple origins that share an rpId, for deployments reachable under several hostnames (apex + preview/staging) under one registrable parent. Declare additional origins via EmDashConfig.allowedOrigins (in astro.config.mjs) or the EMDASH_ALLOWED_ORIGINS env var (comma-separated); the two sources merge at runtime. EmDash validates the merged set against siteUrl and rejects dead config (non-subdomain entries, IP-literal siteUrl, trailing dots, empty labels) with source-attributed errors. PasskeyConfig.origin: string is replaced by PasskeyConfig.origins: string[].

• #837 e81aa0f Thanks @netogregorio! - Make the preview URL pattern locale-aware. getPreviewUrl() now accepts a {locale} placeholder and a locale option (empty string collapses adjacent slashes so default-locale entries on prefixDefaultLocale: false sites stay unprefixed). The POST /_emdash/api/content/{collection}/{id}/preview-url route resolves the locale automatically from the entry and the site's i18n config, and reads a project-wide default pattern from the new EMDASH_PREVIEW_PATH_PATTERN env var so the admin's "View on site" link can match locale-prefixed routes (e.g. /{locale}/{id}).

• #811 cee403d Thanks @ascorbic! - Adds a centralized secrets module and emdash secrets CLI command group.
  The preview HMAC secret and commenter-IP hash salt are now generated and
  persisted in the options table on first need, with EMDASH_PREVIEW_SECRET
  and EMDASH_IP_SALT as optional env overrides. This replaces the previous
  empty-string preview fallback (which silently disabled token verification)
  and the hardcoded "emdash-ip-salt" constant (which was correlatable
  across installs).

  Adds:

  • emdash secrets generate [--write <file> [--force]] — emits a fresh
    EMDASH_ENCRYPTION_KEY (versioned emdash_enc_v1_<43 chars> format),
    optionally writes it to .dev.vars or .env idempotently.
  • emdash secrets fingerprint <key> — prints the kid (8-char fingerprint)
    for a key without exposing its value.

  Lays groundwork for plugin-secret encryption-at-rest in a follow-up.

  Deprecates:

  • emdash auth secret — kept as a working alias that prints a stderr
    deprecation note. Will be removed in a future minor. EMDASH_AUTH_SECRET
    itself is now legacy: it's only consulted as a fallback IP-salt source
    for upgrade compatibility (so existing installs keep stable
    commenter-IP hashes). New installs don't need to set it.

  API changes:

  • fingerprintKey() (exported from emdash's config module) now
    validates its input and throws EmDashSecretsError for malformed or
    non-canonical keys, where it previously silently hashed any string.
    Callers that want the previous "fingerprint anything" behavior should
    hash the input themselves with crypto.subtle.digest.

  User-visible side effects on upgrade:

  • Installs that hadn't set EMDASH_PREVIEW_SECRET get a fresh random
    preview secret on first start, which invalidates any outstanding
    preview URLs (typically short-lived).
  • Installs that hadn't set EMDASH_AUTH_SECRET get a fresh random IP
    salt, resetting active comment rate-limit windows once.
  • Installs that did set EMDASH_AUTH_SECRET keep the same IP salt via a
    legacy fallback, so existing rate-limit data carries over.
  • If you sign preview URLs from a separate process without access to the
    EmDash database (e.g. a remote preview Worker), you must continue to
    set EMDASH_PREVIEW_SECRET in both processes. Processes that share
    the database converge on the same auto-generated value automatically;
    the env override is only needed when the verifying process can't read
    the options table.

• #816 d4be24f Thanks @ask-bonk! - Unifies plugin capability names under a single <resource>[.<sub-resource>]:<verb>[:<qualifier>] formula so capabilities read like RBAC permissions, separates hook-registration permissions from data-access ones for clearer audits, and replaces the overloaded :any qualifier with the more conspicuous :unrestricted. Old names are still accepted with @deprecated warnings; emdash plugin bundle and emdash plugin validate warn for each deprecated name and emdash plugin publish refuses manifests that still use them.

  The Cloudflare sandbox bridge and HTTP fetch helper now enforce canonical names (content:read, content:write, media:read, media:write, users:read, network:request, network:request:unrestricted). Manifests that still declare legacy names continue to work — the runner normalizes capabilities before passing them into the bridge, so installed plugins with read:content resolve to content:read and reach the same code path.

  | Old | New |
  | ------------------- | -------------------------------- |
  | read:content | content:read |
  | write:content | content:write |
  | read:media | media:read |
  | write:media | media:write |
  | read:users | users:read |
  | network:fetch | network:request |
  | network:fetch:any | network:request:unrestricted |
  | email:provide | hooks.email-transport:register |
  | email:intercept | hooks.email-events:register |
  | page:inject | hooks.page-fragments:register |

  Existing installs keep working — manifests are normalized at every external boundary and diffCapabilities normalizes both sides so version upgrades that only rename do not trigger a "capability changed" prompt. Deprecated names will be removed in the next minor.

Patch Changes

• #858 e0dc6fb Thanks @ask-bonk! - Adds CSS custom-property hooks to portable-text block defaults in Image, Embed, Gallery, and Break so host sites can theme figcaptions and horizontal rules without overriding component CSS. Resolution order is --emdash-caption-color → --color-muted → #666 for captions, --emdash-break-color → --color-border → #e0e0e0 for the break line, and --emdash-break-dots-color → --color-muted → #999 for break dots. Backward compatible: sites that don't define any of these variables get the previous hex defaults; sites that already expose the conventional --color-muted / --color-border tokens (e.g. the blog template) now get correct dark-mode theming automatically.

• #838 c22fb3a Thanks @ascorbic! - Removes a redundant SELECT id, author_id lookup that fired after every collection-list and entry fetch when computing the byline-fallback for entries without explicit credits. The column is already on the row data, so it is now read directly. Saves up to one round-trip per list query and two on post-detail routes (~30 fewer queries across the perf-fixture suite).

• #805 6a4e9b8 Thanks @ascorbic! - Fixes data loss in the visual-editing inline editor for plugin-contributed Portable Text block types. Previously, custom blocks like marketing.hero lost every field except id when the page was opened in edit mode, and the next save persisted the loss. Blocks now round-trip losslessly and render as a read-only placeholder labelled with the block type.

• #702 0ee372a Thanks @ilicfilip! - Adds @emdash-cms/plugin-field-kit — composable field widgets for json fields. Four widgets (object-form, list, grid, tags) are configured entirely through seed options so site builders don't need to write React to get a usable editing UI. Widgets store clean JSON (no nesting, no mutation of shape), so removing the plugin leaves valid data in the database. See discussion #571 for background.

  Widens FieldDescriptor.options to Array<{ value: string; label: string }> | Record<string, unknown> so plugin widgets can accept arbitrary widget config (not only enum choices). The array shape for select / multiSelect continues to work unchanged.

• #861 22a16ee Thanks @ask-bonk! - Fixes "Cannot find module 'kysely'" at runtime after astro build followed by astro preview or node dist/server/entry.mjs on Node deployments using SQLite or libSQL (#741). The SQLite and libSQL dialect runtime modules used CJS require("kysely") and require("better-sqlite3"), ostensibly to defer loading at config time — though in practice these modules are only ever loaded at runtime via virtual:emdash/dialect, so the deferral served no purpose. Vite preserved those literal require() calls in the bundled SSR chunks; under pnpm's strict node_modules layout, Node's CJS resolver could not find kysely (a transitive dep of emdash) from the user's dist/server/chunks/ directory. The dialect modules now use static imports — matching the existing db/postgres.ts adapter — so Vite resolves the deps correctly at build time.

• #847 1e2b024 Thanks @ascorbic! - Fixes site favicon injection so user-configured favicons render on the public site, including SVG favicons in Chromium browsers (#831). EmDashHead now emits a <link rel="icon"> tag with the correct type attribute (e.g. image/svg+xml) sourced from the stored media's MIME type. The bundled templates and demos have been updated to drop their per-template favicon link in favour of the centralized injection; existing user sites that still emit their own <link rel="icon"> continue to work because browsers tolerate the duplicate.

  MediaReference now carries url, contentType, width, and height when resolved via resolveMediaReference, so callers can emit correct head tags without a second round-trip to the media table.

• #851 81662e9 Thanks @ask-bonk! - Fixes admin branding (logo, siteName, favicon) configured via the integration's admin option not being delivered to the React admin SPA. The /_emdash/api/manifest route now reads admin branding from the per-request config plumbed through middleware (the same source admin.astro already used), instead of a build-time global that was never assigned.

• #857 2f22f57 Thanks @ask-bonk! - Fixes a migration race on D1 where two concurrent Workers isolates could both try to apply the same migration, causing one to fail with UNIQUE constraint failed: _emdash_migrations.name. The losing isolate would throw before reaching auto-seed, leaving the manifest cache empty and the admin UI reporting collections as not found while the API reported them correctly. runMigrations now treats this specific error as benign, waits for the concurrent migrator to finish, and verifies the schema is fully migrated before returning success. Closes #762.

• #856 ef3f076 Thanks @ask-bonk! - Fixes npm install peer dependency conflicts (#819) by removing @tanstack/react-query and @tanstack/react-router from peerDependencies. These libraries are internal implementation details of the bundled admin UI (@emdash-cms/admin) and consuming Astro apps don't import them directly. Listing them as peers of emdash was forcing every npm-based install to install and resolve them at the top level, which produced ERESOLVE errors and bloat. The admin package continues to declare them as its own runtime dependencies.

• #817 a9c29ea Thanks @all3f0r1! - Fixes redirect middleware so 301/302 rules from _emdash_redirects actually fire for unauthenticated visitors. Previously, the lookup was silently skipped on the public-visitor branch because locals.emdash.db is intentionally omitted there — only logged-in admins, edit-mode sessions and preview tokens ever saw redirects (so WordPress migration 301s, manual rewrites and Auto: slug change rows did nothing for real traffic, and hits / _emdash_404_log stayed at zero). The middleware now falls back to getDb() (ALS-aware) when locals.emdash.db is absent. Resolves #808.

• #874 d5f7c48 Thanks @ask-bonk! - Fixes EmDashRuntime.invalidateManifest() leaving the persisted manifest cache row stale on Cloudflare Workers. The D1 row delete was a fire-and-forget promise — on Workers, unawaited work is cancelled when the isolate is torn down post-response, so options.emdash:manifest_cache was almost never actually wiped after a schema mutation. Cold-starting isolates downstream then adopted the pre-mutation snapshot and served Collection '<slug>' not found until something else cleared the row. The delete now goes through after(), which hands it to ctx.waitUntil under workerd. (#873)

• #839 0d98c62 Thanks @ascorbic! - Caches the site:* settings prefix-scan across requests within a worker isolate. Site settings change rarely; reading them once per route was wasted work. Writes via setSiteSettings() invalidate the cache so other isolates pick up changes within their lifetime.

• #840 64bf5b9 Thanks @ascorbic! - Reduces duplicate queries on pages that render multiple taxonomy or "recent posts" widgets. getTaxonomyDef(name) now reuses the full taxonomy-defs list when it has already been loaded in the same request, and getEmDashCollection buckets small limits so a post-detail page asking for 4 posts in the body and 5 in a sidebar widget shares one fetch instead of two. Cuts ~6 queries from the perf-fixture post-detail render.

• #803 0041d76 Thanks @mvanhorn! - Fixes migrations 034 and 035 so they can safely re-run when a previous attempt left the schema partially applied without recording it in _emdash_migrations. Resolves the "index already exists" error reported on upgrade from 0.1.1 to 0.6.0+.

• #869 a8bac5d Thanks @ask-bonk! - Fixes autosave validation errors on content seeded from the blog,
  portfolio, and starter templates (issue #867).

  Two related issues:

  • _key was strictly required on Portable Text blocks by the
    generated Zod schema, but the rest of the block schema is
    .passthrough() and the editor regenerates _key on every change,
    so requiring it on input rejected legitimate seed/import data
    without protecting any real invariant. _key is now optional in the
    validator.
  • The portfolio template shipped featured_image as bare URL strings.
    image fields validate as { id, ... } objects, so any user who
    edited a different field on a portfolio entry hit
    featured_image: expected object, received string. The portfolio
    seeds now use $media references in the same shape as the blog
    template, and every shipped template seed has stable _keys on its
    Portable Text nodes.

  A regression test runs every shipped template seed through the same
  validator the autosave endpoint uses, so future template changes that
  break this invariant fail before release.

• #882 5b6f059 Thanks @ascorbic! - Fixes the seed virtual module to also look at the conventional seed/seed.json path when no .emdash/seed.json or package.json#emdash.seed pointer is configured. Without this fallback, a site that only had seed/seed.json would silently fall through to the built-in default seed -- the setup wizard would not offer demo content, and the wrong schema would be applied. The loader now warns when it falls through to the default seed so misconfiguration is loud during dev.

• #855 a86ff80 Thanks @ask-bonk! - Fixes Astro session lookups firing on every anonymous public SSR request (#733). The middleware now skips context.session.get("user") when no astro-session cookie is present, which on Cloudflare Workers (where the Astro session backend is KV) was turning normal anonymous traffic into a flood of KV read misses. Logged-in editors, admin routes, edit/preview flows, and any request that actually carries the session cookie continue to read the session as before.

• #853 eb6dbd0 Thanks @drudge! - Fixes content saves on collections with boolean fields. Boolean fields map to INTEGER columns and the repository writes booleans as 0/1, but never converts them back on read, so a GET → edit → POST round-trip surfaced numbers where the per-collection zod schema expected booleans, and every save was rejected. The boolean field schema now coerces the 0/1 shape to real booleans at the validation boundary; other numbers and strings still fail validation as before.

• Updated dependencies [9dfc65c, d6754ae, 0ee372a, ef3f076, 8d0feb3, 8354088, 254a443, 25128b2, e7df21f, ab45916, 0913a39, e2d5d16, a838000, ddbf808, 1c958fb, 491aeec, d4be24f]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Minor Changes

• #699 2e2d4bc Thanks @MohamedH1998! - Adds a package for converting Contentful Rich Text documents into Portable Text blocks.

Minor Changes

• #816 d4be24f Thanks @ask-bonk! - Unifies plugin capability names under a single <resource>[.<sub-resource>]:<verb>[:<qualifier>] formula so capabilities read like RBAC permissions, separates hook-registration permissions from data-access ones for clearer audits, and replaces the overloaded :any qualifier with the more conspicuous :unrestricted. Old names are still accepted with @deprecated warnings; emdash plugin bundle and emdash plugin validate warn for each deprecated name and emdash plugin publish refuses manifests that still use them.

  The Cloudflare sandbox bridge and HTTP fetch helper now enforce canonical names (content:read, content:write, media:read, media:write, users:read, network:request, network:request:unrestricted). Manifests that still declare legacy names continue to work — the runner normalizes capabilities before passing them into the bridge, so installed plugins with read:content resolve to content:read and reach the same code path.

  | Old | New |
  | ------------------- | -------------------------------- |
  | read:content | content:read |
  | write:content | content:write |
  | read:media | media:read |
  | write:media | media:write |
  | read:users | users:read |
  | network:fetch | network:request |
  | network:fetch:any | network:request:unrestricted |
  | email:provide | hooks.email-transport:register |
  | email:intercept | hooks.email-events:register |
  | page:inject | hooks.page-fragments:register |

  Existing installs keep working — manifests are normalized at every external boundary and diffCapabilities normalizes both sides so version upgrades that only rename do not trigger a "capability changed" prompt. Deprecated names will be removed in the next minor.

Patch Changes

• Updated dependencies [e2b3c6c, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:
  • [email protected]

Minor Changes

• #790 7b8d496 Thanks @all3f0r1! - Adds an accordion Block Kit block: a collapsible container that wraps nested blocks under a labeled trigger. Open/closed state is local to the rendered component (with optional default_open), so plugin admin pages can hide advanced settings, FAQs, or auxiliary panels without paginating or round-tripping through block_action.

• #731 9dfc65c Thanks @drudge! - Adds a media_picker Block Kit element: a thumbnail preview with a modal library picker and mime-type filter. Usable in plugin block forms and in Block Kit field widgets. The stored value is the selected asset's URL string, so it is value-compatible with a plain text_input — existing content continues to work after swapping. The mime_type_filter is restricted to image MIME types (image/ or image/<subtype>); wildcards and non-image types are rejected.

• #814 a838000 Thanks @arashackdev! - rtl srtyle improvements and LTR/RTL compatible arrow/caret icons

Patch Changes

• Updated dependencies [e2b3c6c, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:
  • [email protected]
  • @emdash-cms/[email protected]

Minor Changes

• #800 e2d5d16 Thanks @csfalcao! - Adds support for accepting passkey assertions from multiple origins that share an rpId, for deployments reachable under several hostnames (apex + preview/staging) under one registrable parent. Declare additional origins via EmDashConfig.allowedOrigins (in astro.config.mjs) or the EMDASH_ALLOWED_ORIGINS env var (comma-separated); the two sources merge at runtime. EmDash validates the merged set against siteUrl and rejects dead config (non-subdomain entries, IP-literal siteUrl, trailing dots, empty labels) with source-attributed errors. PasskeyConfig.origin: string is replaced by PasskeyConfig.origins: string[].

Minor Changes

• #731 9dfc65c Thanks @drudge! - Adds a media_picker Block Kit element: a thumbnail preview with a modal library picker and mime-type filter. Usable in plugin block forms and in Block Kit field widgets. The stored value is the selected asset's URL string, so it is value-compatible with a plain text_input — existing content continues to work after swapping. The mime_type_filter is restricted to image MIME types (image/ or image/<subtype>); wildcards and non-image types are rejected.

• #809 e7df21f Thanks @ascorbic! - Adds an optional category field to PortableTextBlockConfig for plugin-contributed block types. Plugins can now choose how their blocks are grouped in the admin slash menu (e.g. "Sections", "Marketing", "Media", "Layout") instead of always falling under "Embeds". Existing plugins that omit the field continue to render under "Embeds" exactly as before.

• #814 a838000 Thanks @arashackdev! - rtl srtyle improvements and LTR/RTL compatible arrow/caret icons

• #854 491aeec Thanks @ask-bonk! - Adds consistently-placed sticky Save buttons across editor pages so unsaved changes are always visible. The Content editor, Section editor, Content Type editor, and Settings sub-pages (General, SEO, Social Links) now render their primary save action in a sticky top-right header that stays visible while users scroll long forms. The existing bottom-of-form save buttons are preserved so keyboard and screen-reader users still hit a save action as the last interactive control on the page (DOM order is unchanged). Introduces a shared EditorHeader component for editor pages that want the same sticky-header pattern. Fixes #233.

Patch Changes

• #849 d6754ae Thanks @drudge! - Fixes the datetime field widget so existing values display in the editor and new values pass server validation. The widget passed raw ISO 8601 (YYYY-MM-DDTHH:mm:ss.sssZ) into <input type="datetime-local">, which silently rendered empty, and emitted YYYY-MM-DDTHH:mm on save, which the field's zod schema rejected. Strips the suffix for display, appends :00.000Z on save, and normalizes date-only stored values to UTC midnight for the input. Applies to the top-level datetime widget in the content editor and the datetime sub-field type inside RepeaterField.

• #702 0ee372a Thanks @ilicfilip! - Adds @emdash-cms/plugin-field-kit — composable field widgets for json fields. Four widgets (object-form, list, grid, tags) are configured entirely through seed options so site builders don't need to write React to get a usable editing UI. Widgets store clean JSON (no nesting, no mutation of shape), so removing the plugin leaves valid data in the database. See discussion #571 for background.

  Widens FieldDescriptor.options to Array<{ value: string; label: string }> | Record<string, unknown> so plugin widgets can accept arbitrary widget config (not only enum choices). The array shape for select / multiSelect continues to work unchanged.

• #856 ef3f076 Thanks @ask-bonk! - Fixes npm install peer dependency conflicts (#819) by removing react and react-dom from dependencies. They were declared in both dependencies and peerDependencies, which made npm think the admin package required an exact pinned React version and conflicted with the host Astro app's React. They remain peerDependencies (^18.0.0 || ^19.0.0), and the host app supplies React.

• #821 8d0feb3 Thanks @r2sake! - Fixes the Settings (gear) icon on the Plugin Manager so it links to the plugin's primary admin page instead of a non-existent /settings sub-route.

• #862 8354088 Thanks @ask-bonk! - Fixes slug-style <input pattern="..."> attributes so HTML form validation works in current browsers. The patterns used [a-z0-9-]+, which is rejected as Invalid character class when compiled with the v (unicode-sets) flag — the mode browsers now use for the pattern attribute. The dangling - is now escaped ([a-z0-9\-]+), restoring slug validation in the Sections list/edit, Menus list, and Widgets create-area dialogs. Resolves #845.

• #887 254a443 Thanks @ascorbic! - Fixes stale content shown in the Portable Text editor when switching between translations of the same content. Previously, navigating from one locale's editor to another (e.g. from the English version of a post to the French version) kept the previous locale's body in the editor, and any subsequent edit would silently overwrite the new translation's content. The form now resets synchronously when the underlying content item changes, and field editors are keyed by item id so they remount cleanly on a translation switch.

• #885 25128b2 Thanks @ahliweb! - Fixes malformed ICU plural syntax in Indonesian (id) locale — ContentList item count now renders correctly

• #872 ab45916 Thanks @ahliweb! - Enables Indonesian (Bahasa Indonesia) locale in the admin UI

• #807 0913a39 Thanks @ascorbic! - Sizes the plugin block edit modal based on field complexity so Block Kit forms have room to breathe. Simple URL embeds keep the previous compact dialog; forms with several fields get a wider one, and forms containing a repeater open at the largest size. Inputs inside the dialog now fill the available width.

• #815 ddbf808 Thanks @ascorbic! - Fixes content list loading state showing No results for "" instead of a loader while items are being fetched. The trash tab gets the same treatment.

• #870 1c958fb Thanks @CacheMeOwside! - Fixes the image-settings icon in the Section editor so it actually opens <ImageDetailPanel> in the sidebar.

• #816 d4be24f Thanks @ask-bonk! - Unifies plugin capability names under a single <resource>[.<sub-resource>]:<verb>[:<qualifier>] formula so capabilities read like RBAC permissions, separates hook-registration permissions from data-access ones for clearer audits, and replaces the overloaded :any qualifier with the more conspicuous :unrestricted. Old names are still accepted with @deprecated warnings; emdash plugin bundle and emdash plugin validate warn for each deprecated name and emdash plugin publish refuses manifests that still use them.

  The Cloudflare sandbox bridge and HTTP fetch helper now enforce canonical names (content:read, content:write, media:read, media:write, users:read, network:request, network:request:unrestricted). Manifests that still declare legacy names continue to work — the runner normalizes capabilities before passing them into the bridge, so installed plugins with read:content resolve to content:read and reach the same code path.

  | Old | New |
  | ------------------- | -------------------------------- |
  | read:content | content:read |
  | write:content | content:write |
  | read:media | media:read |
  | write:media | media:write |
  | read:users | users:read |
  | network:fetch | network:request |
  | network:fetch:any | network:request:unrestricted |
  | email:provide | hooks.email-transport:register |
  | email:intercept | hooks.email-events:register |
  | page:inject | hooks.page-fragments:register |

  Existing installs keep working — manifests are normalized at every external boundary and diffCapabilities normalizes both sides so version upgrades that only rename do not trigger a "capability changed" prompt. Deprecated names will be removed in the next minor.

• Updated dependencies [7b8d496, 9dfc65c, a838000]:

  • @emdash-cms/[email protected]

Minor Changes

• #702 0ee372a Thanks @ilicfilip! - Adds @emdash-cms/plugin-field-kit — composable field widgets for json fields. Four widgets (object-form, list, grid, tags) are configured entirely through seed options so site builders don't need to write React to get a usable editing UI. Widgets store clean JSON (no nesting, no mutation of shape), so removing the plugin leaves valid data in the database. See discussion #571 for background.

  Widens FieldDescriptor.options to Array<{ value: string; label: string }> | Record<string, unknown> so plugin widgets can accept arbitrary widget config (not only enum choices). The array shape for select / multiSelect continues to work unchanged.

Patch Changes

• Updated dependencies [e2b3c6c, 9dfc65c, e0dc6fb, c22fb3a, 6a4e9b8, 0ee372a, 22a16ee, 1e2b024, 81662e9, 2f22f57, ef3f076, a9c29ea, e7df21f, d5f7c48, 8ae227c, e2d5d16, 0d98c62, 64bf5b9, e81aa0f, 0041d76, cee403d, a8bac5d, 5b6f059, a86ff80, d4be24f, eb6dbd0]:
  • [email protected]

Minor Changes

• #679 493e317 Thanks @drudge! - Adds a repeater Block Kit element: array-of-objects with scalar sub-fields, drag-to-reorder, and collapsible item cards. Plugin block forms can now capture repeating data (FAQ rows, carousel slides, card grids) inline in the portable-text editor.

• #779 e402890 Thanks @ascorbic! - Adds settings_get and settings_update MCP tools so agents can read and update site-wide settings (title, tagline, logo, favicon, URL, posts-per-page, date format, timezone, social, SEO). settings_get resolves media references (logo/favicon/seo.defaultOgImage) to URLs; settings_update is a partial update that preserves omitted fields. New settings:read (EDITOR+) and settings:manage (ADMIN) API token scopes back the tools, with matching options in the personal API token settings UI.

• #777 3eca9d5 Thanks @ascorbic! - Behavior change — MCP taxonomy_list_terms now uses an opaque base64 keyset cursor over (label, id) instead of the previous raw term-id cursor. The new cursor is robust to concurrent term deletion: it encodes a position in sort space rather than a reference to a specific row. MCP clients that persisted page cursors across this upgrade should drop them and restart pagination — pre-upgrade cursors will return INVALID_CURSOR.

  Adds parent-chain validation to taxonomy_create_term (previously only taxonomy_update_term validated): rejects non-existent parents, cross-taxonomy parents, self-parent on update, cycles on update, and parent chains exceeding 100 ancestors. Existing taxonomies with chains over the depth limit continue to function but cannot accept new descendants until the chain is shortened.

• #675 b6cb2e6 Thanks @eyupcanakman! - Renders local media through storage publicUrl when configured. EmDashImage and the Portable Text image block now call a new locals.emdash.getPublicMediaUrl() helper, so R2 and S3 deployments with a custom domain serve images from that domain. S3Storage.getPublicUrl now returns the /_emdash/api/media/file/{key} path when no publicUrl is set (previously {endpoint}/{bucket}/{key}).

• #398 31333dc Thanks @simnaut! - Adds pluggable auth provider system with AT Protocol as the first plugin-based provider. Refactors GitHub and Google OAuth from hardcoded buttons into the same AuthProviderDescriptor interface. All auth methods (passkey, AT Protocol, GitHub, Google) are equal options on the login page and setup wizard.

Patch Changes

• #777 3eca9d5 Thanks @ascorbic! - Fixes MCP ownership checks failing with an internal error on content that has no authorId (seed-imported rows). Admins and editors can now edit, publish, unpublish, schedule, and restore such items; users with only own-content permissions get a clean permission error.

• #777 3eca9d5 Thanks @ascorbic! - Fixes content create / update silently accepting invalid data: required fields are now enforced, select / multiSelect values must match the configured options, and reference fields must resolve to a real, non-trashed target. Errors surface with a structured VALIDATION_ERROR code and a message naming every offending field.

• #670 37ada52 Thanks @segmentationfaulter! - Change text direction of input fields and tiptap editor depending upon the language entered

• #688 0557b62 Thanks @corwinperdomo! - Fixes the Settings > Email admin page so active email:beforeSend / email:afterSend middleware plugins are listed (previously always empty). Adds HookPipeline.getHookProviders() for enumerating non-exclusive hook providers.

• #673 5a581d9 Thanks @mvanhorn! - Fixes WordPress media import to emit relative /_emdash/api/media/file/... URLs instead of absolute ones, matching every other media endpoint. Imported media is now recognized by INTERNAL_MEDIA_PREFIX for enrichment, and no longer pins URLs to the origin that happened to serve the import request (breaking renders on a different port or behind a reverse proxy).

• #750 0ecd3b4 Thanks @edrpls! - Make the admin collection list column headers sortable. Title, Status, Locale, and Date are now clickable buttons that toggle direction; the current sort state is exposed via aria-sort on the <th> so screen readers announce it correctly.

  The server's orderBy field whitelist now accepts status, locale, and name alongside the existing date fields — unchanged from a security standpoint, the repo still rejects unknown field names to prevent column enumeration.

  Callers of <ContentList> that don't pass onSortChange render the previous static-label headers, so legacy integrations (e.g. the content picker) are unaffected.

• 3138432 Thanks @r2sake! - Fixes hydration of the inline PortableText editor on pnpm projects by aliasing use-sync-external-store/shim to the main use-sync-external-store package. The shim is a CJS-only React<18 polyfill imported transitively by @tiptap/react; under pnpm's virtual store Vite cannot pre-bundle it, and the browser receives raw module.exports which fails to load as ESM (SyntaxError: ... does not provide an export named 'useSyncExternalStore'). The aliases redirect to React's built-in useSyncExternalStore (peer-dep floor is React 18), so users no longer need to add the workaround themselves in astro.config.mjs.

• #755 70924cd Thanks @mvanhorn! - Fixes the WordPress importer so collections created mid-import are visible to the subsequent execute phase.

  POST /_emdash/api/import/wordpress/prepare now calls emdash.invalidateManifest() when it creates new collections or fields. Without this, the DB-persisted manifest cache (emdash:manifest_cache in the options table) stays stale and the execute request reports Collection "<slug>" does not exist for every item destined for a freshly created collection — a bug that survived dev-server restarts and required manually deleting the cache row.

• #757 1f0f6f2 Thanks @ascorbic! - Removes two redundant in-scope database queries from the FTS verify-and-repair path. The inner block re-fetched searchable fields and search config that were already loaded in the outer scope of the same method. No behavior change.

• #777 3eca9d5 Thanks @ascorbic! - Fixes paginated list endpoints silently returning the first page when given a malformed cursor. Bad cursors now produce a structured INVALID_CURSOR error so client pagination bugs surface immediately.

  Note for plugin authors: the low-level decodeCursor export from emdash/database/repositories now throws InvalidCursorError on invalid input instead of returning null. Direct callers (rare — most code uses findMany-style helpers that handle this internally) should wrap the call in try/catch or migrate to the higher-level helpers.

• #777 3eca9d5 Thanks @ascorbic! - Fixes schema_create_collection MCP tool to apply its documented default of ['drafts', 'revisions'] for supports when omitted.

• #189 f5658f0 Thanks @Sayeem3051! - Add url and email plugin setting field types (Issue #175)

• #777 3eca9d5 Thanks @ascorbic! - Preserves structured error codes through MCP tool responses. Errors returned by MCP tools now include a stable [CODE] prefix in the message text and a _meta.code field on the response envelope, so MCP clients can distinguish failure modes (e.g. NOT_FOUND, CONFLICT, VALIDATION_ERROR) instead of seeing only a generic message.

• #777 3eca9d5 Thanks @ascorbic! - Fixes revision_restore for collections that support revisions: restore now creates a new draft revision from the source revision's data and updates draft_revision_id, leaving the live columns untouched. Previously, restore overwrote the live row directly and left any pending draft unchanged, opposite to the documented contract ("Replaces the current draft..."). The response is also hydrated so the returned data reflects the post-restore state.

  Behavior is unchanged for collections that do not support revisions.

• #734 cf1edae Thanks @huckabarry! - Preserve clearer error logging and run sandboxed after() content hook tasks in parallel when deferred plugin hooks execute after save and publish.

• #794 b352e88 Thanks @ascorbic! - Sanitises the snippet field returned by the search() API so it is safe to render with set:html / innerHTML. Previously SQLite's FTS5 snippet() function spliced literal <mark> tags around matched terms but left the surrounding text unescaped, meaning a post title like Hello <script>alert(1)</script> would render as live markup. Templates and components rendering snippets directly were exposed; the in-tree LiveSearch component already worked around this client-side. Snippets now contain only HTML-escaped source text plus literal <mark>...</mark> highlight tags, matching the documented contract.

• #183 da3d065 Thanks @masonjames! - Fixes Astro dev to use the built admin package for external app installs while keeping source aliasing for local monorepo development.

• #777 3eca9d5 Thanks @ascorbic! - Tightens conflict-error matchers in handleContentCreate and handleContentUpdate. Both paths now match specifically on "unique constraint failed" or "duplicate key" (avoiding false positives where the word "unique" appears in unrelated error text), and produce sanitized SLUG_CONFLICT / CONFLICT messages so raw database error text — including Postgres-internal index names — no longer leaks to API consumers. Clients that pattern-match the previous unsanitized messages will see normalized text instead.

• #777 3eca9d5 Thanks @ascorbic! - Fixes taxonomy_list exposing collection slugs for collections that no longer exist. Orphaned slugs are filtered out so the response stays consistent with schema_list_collections.

• #777 3eca9d5 Thanks @ascorbic! - Fixes content_unpublish so that publishedAt is cleared when an item is unpublished.

• #608 47978b5 Thanks @drudge! - Fixes /_emdash/api/widget-areas/* endpoints returning raw DB rows (snake_case fields, content as a JSON string) instead of the transformed Widget shape. Admin UI expects content to already be a parsed PortableText array and componentId/componentProps/menuName in camelCase, so expanding a content widget in /_emdash/admin/widgets produced an empty editor. All four route handlers (GET /widget-areas, GET /widget-areas/:name, POST /widget-areas/:name/widgets, PUT /widget-areas/:name/widgets/:id) now run their results through rowToWidget, which was made module-exported.

• #777 3eca9d5 Thanks @ascorbic! - Adds taxonomies:manage and menus:manage API token scopes for fine-grained control over taxonomy and menu mutations via MCP and REST. Existing tokens with content:write continue to work for those operations: content:write now implicitly grants menus:manage and taxonomies:manage so PATs issued before the split keep their effective permissions. The reverse implication does not hold — a token with only menus:manage cannot create or edit content.

• Updated dependencies [86b26f6, 493e317, e998083, 37ada52, acab807, 0ecd3b4, 4c9f04d, e402890, ed4d880, 31333dc, 3eca9d5]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Minor Changes

• #679 493e317 Thanks @drudge! - Adds a repeater Block Kit element: array-of-objects with scalar sub-fields, drag-to-reorder, and collapsible item cards. Plugin block forms can now capture repeating data (FAQ rows, carousel slides, card grids) inline in the portable-text editor.

• #779 e402890 Thanks @ascorbic! - Adds settings_get and settings_update MCP tools so agents can read and update site-wide settings (title, tagline, logo, favicon, URL, posts-per-page, date format, timezone, social, SEO). settings_get resolves media references (logo/favicon/seo.defaultOgImage) to URLs; settings_update is a partial update that preserves omitted fields. New settings:read (EDITOR+) and settings:manage (ADMIN) API token scopes back the tools, with matching options in the personal API token settings UI.

• #398 31333dc Thanks @simnaut! - Adds pluggable auth provider system with AT Protocol as the first plugin-based provider. Refactors GitHub and Google OAuth from hardcoded buttons into the same AuthProviderDescriptor interface. All auth methods (passkey, AT Protocol, GitHub, Google) are equal options on the login page and setup wizard.

Patch Changes

• #611 86b26f6 Thanks @drudge! - Wires up the block configuration sidebar inside WidgetEditor. PortableTextEditor now receives onBlockSidebarOpen/onBlockSidebarClose callbacks that hold the active BlockSidebarPanel in local state, and renders ImageDetailPanel when the panel type is "image" — mirroring the content-entry editor. Without this, clicking a block's settings button or the media picker inside widget content had no visible effect.

• #786 e998083 Thanks @smart-cau! - Adds Korean translations for 21 admin UI strings that previously fell back to English. Korean (ko) coverage is now complete.

• #670 37ada52 Thanks @segmentationfaulter! - Change text direction of input fields and tiptap editor depending upon the language entered

• #720 acab807 Thanks @Pouf5! - Fix taxonomies not nesting correctly in a RTL layout

• #750 0ecd3b4 Thanks @edrpls! - Make the admin collection list column headers sortable. Title, Status, Locale, and Date are now clickable buttons that toggle direction; the current sort state is exposed via aria-sort on the <th> so screen readers announce it correctly.

  The server's orderBy field whitelist now accepts status, locale, and name alongside the existing date fields — unchanged from a security standpoint, the repo still rejects unknown field names to prevent column enumeration.

  Callers of <ContentList> that don't pass onSortChange render the previous static-label headers, so legacy integrations (e.g. the content picker) are unaffected.

• #184 4c9f04d Thanks @masonjames! - Fixes plugin block defaults so initial values are seeded without overriding later edits.

• #700 ed4d880 Thanks @dcardosods! - Prefill site title and tagline in Setup Wizard from seed file

• Updated dependencies [6e0e921, 493e317]:

  • @emdash-cms/[email protected]

Patch Changes

• Updated dependencies [493e317, 3eca9d5, 3eca9d5, 37ada52, 0557b62, 5a581d9, 0ecd3b4, 3138432, 70924cd, 1f0f6f2, 3eca9d5, e402890, 3eca9d5, f5658f0, 3eca9d5, 3eca9d5, b6cb2e6, 3eca9d5, cf1edae, b352e88, 31333dc, da3d065, 3eca9d5, 3eca9d5, 3eca9d5, 47978b5, 3eca9d5]:
  • [email protected]

Minor Changes

• #792 6e0e921 Thanks @all3f0r1! - Adds an empty Block Kit block: a styled empty-state placeholder with title, optional description, copyable shell command, size variant (sm/base/lg), and an optional list of action elements (CTAs). Plugin admin pages can now render proper empty states for lists, tables, and onboarding flows without rolling their own layout.

• #679 493e317 Thanks @drudge! - Adds a repeater Block Kit element: array-of-objects with scalar sub-fields, drag-to-reorder, and collapsible item cards. Plugin block forms can now capture repeating data (FAQ rows, carousel slides, card grids) inline in the portable-text editor.

Minor Changes

• #785 e0dd616 Thanks @MattieTK! - Adds support for positional directory argument, allowing npm create emdash . to scaffold into the current directory and npm create emdash my-project to skip the interactive name prompt.

Minor Changes

• #779 e402890 Thanks @ascorbic! - Adds settings_get and settings_update MCP tools so agents can read and update site-wide settings (title, tagline, logo, favicon, URL, posts-per-page, date format, timezone, social, SEO). settings_get resolves media references (logo/favicon/seo.defaultOgImage) to URLs; settings_update is a partial update that preserves omitted fields. New settings:read (EDITOR+) and settings:manage (ADMIN) API token scopes back the tools, with matching options in the personal API token settings UI.

Patch Changes

• #398 31333dc Thanks @simnaut! - Adds pluggable auth provider system with AT Protocol as the first plugin-based provider. Refactors GitHub and Google OAuth from hardcoded buttons into the same AuthProviderDescriptor interface. All auth methods (passkey, AT Protocol, GitHub, Google) are equal options on the login page and setup wizard.

• #777 3eca9d5 Thanks @ascorbic! - Adds taxonomies:manage and menus:manage API token scopes for fine-grained control over taxonomy and menu mutations via MCP and REST. Existing tokens with content:write continue to work for those operations: content:write now implicitly grants menus:manage and taxonomies:manage so PATs issued before the split keep their effective permissions. The reverse implication does not hold — a token with only menus:manage cannot create or edit content.

Minor Changes

• #398 31333dc Thanks @simnaut! - Adds pluggable auth provider system with AT Protocol as the first plugin-based provider. Refactors GitHub and Google OAuth from hardcoded buttons into the same AuthProviderDescriptor interface. All auth methods (passkey, AT Protocol, GitHub, Google) are equal options on the login page and setup wizard.

Patch Changes

• Updated dependencies [493e317, 3eca9d5, 3eca9d5, 37ada52, 0557b62, 5a581d9, 0ecd3b4, 3138432, 70924cd, 1f0f6f2, 3eca9d5, e402890, 3eca9d5, f5658f0, 3eca9d5, 3eca9d5, b6cb2e6, 3eca9d5, cf1edae, b352e88, 31333dc, da3d065, 3eca9d5, 3eca9d5, 3eca9d5, 47978b5, 3eca9d5]:
  • [email protected]
  • @emdash-cms/[email protected]

Patch Changes

• Updated dependencies [8ebdf1a, 7186961, e9ecec2, e3e18aa, fae63bd, 30d8fe0, d4a95bf, a31db7d, adb118c, 080a4f1, 81fe93b, c26442b]:
  • [email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #736 81fe93b Thanks @ascorbic! - Restricts Subscriber-role access to draft, scheduled, and trashed content. Subscribers retain content:read for member-only published content but no longer see non-published items via the REST API or MCP server. Adds a new content:read_drafts permission (Contributor and above) that gates /compare, /revisions, /trash, /preview-url, and the corresponding MCP tools.

Minor Changes

• #705 8ebdf1a Thanks @eba8! - Adds admin white-labeling support via admin config in astro.config.mjs. Agencies can set a custom logo, site name, and favicon for the admin panel, separate from public site settings.

• #742 c26442b Thanks @ascorbic! - Adds trustedProxyHeaders config option so self-hosted deployments behind a reverse proxy can declare which client-IP headers to trust. Used by auth rate limits (magic-link, signup, passkey, OAuth device flow) and the public comment endpoint — without it, every request on a non-Cloudflare deployment was treated as "unknown" and rate limits were effectively disabled.

  Set the option in astro.config.mjs:

  emdash({
  	trustedProxyHeaders: ["x-real-ip"], // nginx, Caddy, Traefik
  });
  

  or via the EMDASH_TRUSTED_PROXY_HEADERS env var (comma-separated). Headers are tried in order; values ending in forwarded-for are parsed as comma-separated lists.

  Also removes the user-agent-hash fallback on the comment endpoint. The fallback was meant to give anonymous commenters on non-Cloudflare deployments something approximating per-user rate limiting, but the UA is trivially rotatable; requests with no trusted IP now share a stricter "unknown" bucket. Operators behind a reverse proxy should set trustedProxyHeaders to restore per-IP bucketing.

  Only set trustedProxyHeaders when you control the reverse proxy. Trusting a forwarded-IP header from the open internet lets any client spoof their IP and defeats rate limiting.

Patch Changes

• #745 7186961 Thanks @ascorbic! - Fixes an unauthenticated denial-of-service via the 404 log. Every 404 response previously inserted a new row into _emdash_404_log, so an attacker could grow the database without bound by requesting unique nonexistent URLs. Repeat hits to the same path now dedup into a single row with a hits counter and last_seen_at timestamp, referrer and user-agent headers are truncated to bounded lengths, and the log is capped at 10,000 rows with oldest-first eviction.

• #739 e9ecec2 Thanks @MohamedH1998! - Fixes the REST content API silently stripping publishedAt on create/update and createdAt on create. Importers can now preserve original publish and creation dates on migrated content. Gated behind content:publish_any (EDITOR+) so regular contributors cannot backdate posts. createdAt is intentionally not accepted on update — created_at is treated as immutable.

• #732 e3e18aa Thanks @jcheese1! - Fixes select dropdown appearing behind dialog by removing explicit z-index values and adding isolate to the admin body for proper stacking context.

• #695 fae63bd Thanks @ascorbic! - Fixes emdash seed so entries declared with "status": "published" are actually published. Previously the seed wrote the content row with status: "published" and a published_at timestamp but never created a live revision, so the admin UI showed "Save & Publish" instead of "Unpublish" and live_revision_id stayed null. The seed now promotes published entries to a live revision on both create and update paths.

• #744 30d8fe0 Thanks @ascorbic! - Fixes a setup-window admin hijack by binding /setup/admin and /setup/admin/verify to a per-session nonce cookie. Previously an unauthenticated attacker who could reach a site during first-time setup could POST to /setup/admin between the legitimate admin's email submission and passkey verification, overwriting the stored email — the admin account would then be created with the attacker's address. The admin route now mints a cryptographically random nonce, stores it in setup state, and sets it as an HttpOnly, SameSite=Strict, /_emdash/-scoped cookie; the verify route rejects any request whose cookie does not match in constant time.

• #685 d4a95bf Thanks @ascorbic! - Fixes visual editing: clicking an editable field now opens the inline editor instead of always opening the admin in a new tab. The toolbar's manifest fetch was reading manifest.collections directly but the /_emdash/api/manifest endpoint wraps its payload in { data: … }, so every field-kind lookup returned null and every click fell through to the admin-new-tab fallback.

• #743 a31db7d Thanks @ascorbic! - Locks emdash:site_url after the first setup call so a spoofed Host header on a later step of the wizard can't overwrite it. Config (siteUrl) and env (EMDASH_SITE_URL) paths already took precedence; this is a defence-in-depth guard for deployments that rely on the request-origin fallback.

• #737 adb118c Thanks @ascorbic! - Rate-limits the self-signup request endpoint to prevent abuse. POST /_emdash/api/auth/signup/request now allows 3 requests per 5 minutes per IP, matching the existing limit on magic-link/send. Over-limit requests return the same generic success response as allowed-but-ignored requests, so the limit isn't observable to callers.

• #738 080a4f1 Thanks @ascorbic! - Strengthens SSRF protection on the import pipeline against DNS-rebinding. The validateExternalUrl helper now also blocks known wildcard DNS services (nip.io, sslip.io, xip.io, traefik.me, lvh.me, localtest.me) and trailing-dot FQDN forms of blocked hostnames. A new resolveAndValidateExternalUrl resolves the target hostname via DNS-over-HTTPS (Cloudflare) and rejects if any returned IP is in a private range. ssrfSafeFetch and the plugin unrestricted-fetch path now use the DNS-aware validator on every hop. This adds two DoH round-trips per outbound request; self-hosted admins whose egress blocks cloudflare-dns.com can inject a custom resolver via setDefaultDnsResolver.

• #736 81fe93b Thanks @ascorbic! - Restricts Subscriber-role access to draft, scheduled, and trashed content. Subscribers retain content:read for member-only published content but no longer see non-published items via the REST API or MCP server. Adds a new content:read_drafts permission (Contributor and above) that gates /compare, /revisions, /trash, /preview-url, and the corresponding MCP tools.

• Updated dependencies [8ebdf1a, 2e4b205, e3e18aa, 743b080, fa8d753, 81fe93b]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #740 63509e1 Thanks @ascorbic! - Sandboxed plugin HTTP requests now follow redirects manually and re-validate the destination at every hop. The allowedHosts list is checked on each redirect target (not just the initial URL), so an allowed host that 302s to a disallowed one no longer bypasses the scope. Credential headers (Authorization, Cookie, Proxy-Authorization) are stripped on cross-origin redirects. network:fetch:any and allowedHosts: ["*"] now still reject literal private IPs, cloud-metadata addresses, and known internal hostnames — the allowlist scopes which public hosts a plugin may reach, not whether SSRF protection applies. Non-http(s) URL schemes are rejected. Caps redirect chains at 5 hops.

• Updated dependencies [8ebdf1a, 7186961, e9ecec2, e3e18aa, fae63bd, 30d8fe0, d4a95bf, a31db7d, adb118c, 080a4f1, 81fe93b, c26442b]:

  • [email protected]

Minor Changes

• #705 8ebdf1a Thanks @eba8! - Adds admin white-labeling support via admin config in astro.config.mjs. Agencies can set a custom logo, site name, and favicon for the admin panel, separate from public site settings.

Patch Changes

• #680 2e4b205 Thanks @CacheMeOwside! - Fixes dark mode toggle having no effect with the classic theme.

• #732 e3e18aa Thanks @jcheese1! - Fixes select dropdown appearing behind dialog by removing explicit z-index values and adding isolate to the admin body for proper stacking context.

• #647 743b080 Thanks @arashackdev! - Adds Persian (Farsi) locale with full admin translations.
  Adds Vazirmatn as the default font family for Farsi.

• #689 fa8d753 Thanks @edrpls! - Fixes the taxonomy term picker to match across diacritic boundaries.

  Typing Mexico in the admin picker now surfaces a term labeled México instead of prompting a duplicate create. Input and term labels are folded via NFD decomposition + lowercase before substring-matching, so editors who type without diacritics — or with locale keyboards that produce precomposed vs. combining forms — still see the canonical term.

  Before this fix, "mexico" and "méxico" were treated as distinct strings, so the picker showed zero suggestions and the editor had no way to find the existing term except to create a duplicate. Duplicate terms then split the taxonomy and broke public-facing filter pages that group content by slug.

  The exact-match check that gates the "Create new term" button uses the same fold, so typing Mexico when México exists also suppresses Create — closing the duplicate-creation loop.

• Updated dependencies []:

  • @emdash-cms/[email protected]

Minor Changes

• #626 1859347 Thanks @ascorbic! - Adds eager hydration of taxonomy terms on getEmDashCollection and getEmDashEntry results. Each entry now exposes a data.terms field keyed by taxonomy name (e.g. post.data.terms.tag, post.data.terms.category), populated via a single batched JOIN query alongside byline hydration. Templates that previously looped and called getEntryTerms(collection, id, taxonomy) per entry can read entry.data.terms directly and skip the N+1 round-trip.

  New exports: getAllTermsForEntries, invalidateTermCache.

  Reserved field slugs now also block terms, bylines, and byline at schema-creation time to prevent new fields shadowing the hydrated values. Existing installs that already have a user-defined field with any of those slugs will see the hydrated value overwrite the stored value on read (consistent with the pre-existing behavior of bylines / byline hydration); rename the field to keep its data accessible.

• #600 9295cc1 Thanks @ascorbic! - Adds Noto Sans as the default admin UI font via the Astro Font API. Fonts are downloaded from Google at build time and self-hosted. The base font covers Latin, Cyrillic, Greek, Devanagari, and Vietnamese. Additional scripts (Arabic, CJK, Hebrew, Thai, etc.) can be added via the new fonts.scripts config option. Set fonts: false to disable and use system fonts.

Patch Changes

• #648 ada4ac7 Thanks @CacheMeOwside! - Adds the missing url field type for seed files, content type builder, and content editor with client-side URL validation.

• #658 f279320 Thanks @ascorbic! - Adds after(fn) — a helper for deferring bookkeeping work past the HTTP response. On Cloudflare it hands off to waitUntil (extending the worker's lifetime); on Node it fire-and-forgets (the event loop keeps the process alive for the next request anyway). Host binding is plumbed through a new virtual:emdash/wait-until virtual module so core stays runtime-neutral — Cloudflare-specific imports live in the integration layer, not in request-handling code.

  First use: cron stale-lock recovery (_emdash_cron_tasks UPDATE) now runs after the response ships instead of blocking it. On D1 this shaves a primary-routed write off the cold-start critical path.

  Usage:

  import { after } from "emdash";
  
  // Fire-and-forget; errors are caught and logged so a deferred task
  // never surfaces as an unhandled rejection.
  after(async () => {
  	await recordAuditEntry();
  });
  

• #642 7f75193 Thanks @Pouf5! - Adds maxUploadSize config option to set the maximum media file upload size in bytes. Defaults to 52_428_800 (50 MB) — existing behaviour is unchanged.

• #595 cfd01f3 Thanks @ascorbic! - Fixes playground initialization crash caused by syncSearchState attempting first-time FTS enablement during field creation.

• #663 38d637b Thanks @ascorbic! - Cache getSiteSetting(key) per-request. It was firing an uncached options table read on every call, so templates that pull several settings (or EmDashHead reading seo on every page render) paid N round-trips to the D1 primary instead of sharing one. Noticeable on colos far from the primary — APS/APE were seeing ~30–100 ms of avoidable warm-render latency per page.

  Wraps each key in requestCached("siteSetting:${key}", ...) so concurrent callers in a single render share the in-flight query.

• #631 31d2f4e Thanks @ascorbic! - Improves cold-start performance for anonymous page requests. Sites with D1 replicas far from the worker colo should see the biggest improvement; on the blog-demo the homepage cold request on Asia colos dropped from several seconds to under a second.

  Three underlying changes:

  • Search index health checks run on demand (on the first search request) rather than at worker boot, reclaiming the time a boot-time scan spent walking every searchable collection.
  • Module-scoped caches (manifest, taxonomy names, byline existence, taxonomy-assignment existence) are now reused across anonymous requests that route through D1 read replicas. They previously rebuilt on every request.
  • Cold-start Server-Timing headers break runtime init into sub-phases (rt.db, rt.plugins, etc.) so further regressions are easier to diagnose.

• #605 445b3bf Thanks @ascorbic! - Fixes D1 read replicas being bypassed for anonymous public page traffic. The middleware fast path now asks the database adapter for a per-request scoped Kysely, so anonymous reads land on the nearest replica instead of the primary-pinned singleton binding.

  All D1-specific semantics (Sessions API, constraint selection, bookmark cookie) live in @emdash-cms/cloudflare/db/d1 behind a single createRequestScopedDb(opts) function. Core middleware has no D1-specific logic. Adapters opt in via a new supportsRequestScope: boolean flag on DatabaseDescriptor; d1() sets it to true.

  Other fixes in the same change:

  • Nested runWithContext calls in the request-context middleware now merge the parent context instead of replacing it, so an outer per-request db override is preserved through edit/preview flows.
  • Baseline security headers now forward Astro's cookie symbol across the response clone so cookies.set() calls in middleware survive.
  • Any write (authenticated or anonymous) now forces first-primary, so an anonymous form/comment POST isn't racing across replicas.
  • The session user is read once per request and reused in both the fast path and the full runtime init (previously read twice on authenticated public-page traffic).
  • Bookmark cookies are validated only for length (≤1024) and absence of control characters — no stricter shape check, so a future D1 bookmark format change won't silently degrade consistency.
  • The !config bail-out now still applies baseline security headers.
  • __ec_d1_bookmark references aligned to __em_d1_bookmark across runtime, docs, and JSDoc.

• #654 943d540 Thanks @ascorbic! - Dedups repeat DB queries within a single page render. Measured against the query-count fixture:

  • The "has any bylines / has any taxonomy terms" probes were module-scoped singletons, but the bundler duplicates those modules across chunks — each chunk ended up with its own copy of the singleton, so the probe re-ran whenever a different chunk called the helper. Stored on globalThis with a Symbol key (same pattern as request-context.ts), so a single value is shared across all chunks now.
  • Wraps getCollectionInfo, getTaxonomyDef, getTaxonomyTerms, and getEmDashCollection in the request-scoped cache so two callers with the same arguments in the same render share a single query.

  Biggest wins land on pages that render multiple content-heavy components (a post detail page with comments, byline credits, and sidebar widgets). On the fixture post page: -3 queries cold / -1 warm under SQLite, -2 queries cold under D1.

• #668 2cb3165 Thanks @CacheMeOwside! - Fixes boolean field checkbox displaying as unchecked after publish in the admin UI.

• #500 14c923b Thanks @all3f0r1! - Adds inline term creation in the post editor taxonomy sidebar. Tags show a "Create" option when no match exists; categories get an "Add new" button below the list.

• #606 c5ef0f5 Thanks @ascorbic! - Caches the manifest in memory and in the database to eliminate N+1 schema queries per request. Batches site info queries during initialization. Cold starts read 1 cached row instead of rebuilding from scratch.

• #671 f839381 Thanks @jcheese1! - Fixes MCP OAuth discovery and dynamic client registration so EmDash only advertises supported client registration mechanisms and rejects unsupported redirect URIs or token endpoint auth methods during client registration. Also exempts OAuth protocol endpoints (token, register, device code, device token) from the Origin-based CSRF check, since these endpoints are called cross-origin by design (MCP clients, CLIs, native apps) and carry no ambient credentials, and sends the required CORS headers so browser-based MCP clients can reach them.

• #664 002d0ac Thanks @ascorbic! - getSiteSetting(key) now transparently piggybacks on getSiteSettings() when the batch has already been loaded in the current request. If a parent template has called getSiteSettings() (which is request-cached), a later getSiteSetting("seo") — from EmDashHead, a plugin, or user code — reads the key from that cached result instead of firing its own round-trip. Falls back to a per-key cached query when nothing has been primed.

  Exposes peekRequestCache(key) for internal use by other helpers that want the same "read from a broader cached query if available" pattern.

  On the blog-demo fixture: the SEO call added in PR #613 now costs zero extra queries per page (it reads from the Base layout's existing getSiteSettings() result).

• #465 0a61ef4 Thanks @Pouf5! - Fixes FTS5 tables not being created when a searchable collection is created or updated via the Admin UI.

• #636 6d41fe1 Thanks @ascorbic! - Fixes two correctness issues from the #631 cold-start work:

  • ensureSearchHealthy() now runs against the runtime's singleton database instead of the per-request session-bound one. The verify step reads, but a corrupted index triggers a rebuild write, and D1 Sessions on a GET request uses first-unconstrained routing that's free to land on a replica. The singleton goes through the default binding, which the adapter correctly promotes to first-primary for writes.
  • The playground request-context middleware now sets dbIsIsolated: true. Without it, schema-derived caches (manifest, taxonomy defs, byline/term existence probes) could carry values across playground sessions that have independent schemas.

• #627 b158e40 Thanks @ascorbic! - Prime the request-scoped cache for getEntryTerms during collection and entry hydration. getEmDashCollection and getEmDashEntry already fetch taxonomy terms for their results via a single batched JOIN; now the same data is seeded into the per-request cache under the same keys getEntryTerms uses, so existing templates that still call getEntryTerms(collection, id, taxonomy) in a loop get cache hits instead of a serial DB round-trip per iteration.

  Empty-result entries are seeded with [] for every taxonomy that applies to the collection so "this post has no tags" also short-circuits without a query. Cache entries are scoped to the request context via ALS and GC'd with it.

• #653 f97d6ab Thanks @ascorbic! - Adds opt-in query instrumentation for performance regression testing. Setting EMDASH_QUERY_LOG=1 causes the Kysely log hook to emit [emdash-query-log]-prefixed NDJSON on stdout for every DB query executed inside a request, tagged with the route, method, and an X-Perf-Phase header value. Zero runtime overhead when the flag is unset — the log option is only attached to Kysely when enabled.

  Also exposes the helpers at emdash/database/instrumentation so first-party adapters (e.g. @emdash-cms/cloudflare) can wire the same hook into their per-request Kysely instances.

• #613 e67b940 Thanks @nickgraynews! - Fixes site SEO settings googleVerification and bingVerification not being emitted into <head>. The fields were stored in the database and editable in the admin UI but were never rendered as <meta name="google-site-verification"> or <meta name="msvalidate.01"> tags, making meta-tag verification with Google Search Console and Bing Webmaster Tools impossible. EmDashHead now loads site SEO settings and renders these tags on every page.

• #659 0896ec8 Thanks @ascorbic! - Two query-count reductions on the request hot path:

  • Widget areas now fetch in a single query. getWidgetArea(name) used to do two round-trips — one for the area, one for its widgets. Single left-join now. Saves one query per <WidgetArea> rendered on a page.
  • Dropped the "has any bylines / has any term assignments" probes. Those fired on every hydration call to save a single query on sites with zero bylines/terms — exactly the wrong tradeoff. The batch hydration queries already handle empty sites at the same cost, so the probes are removed. Pre-migration databases (tables not created yet) are still handled via an isMissingTableError catch. Saves two queries per render on pages that hydrate bylines and taxonomy terms.

  On the fixture post-detail page: SQLite /posts/[slug] drops from 34 → 32, D1 from 43 → 39. The widget-area JOIN shaves one off every page that renders a widget area.

  invalidateBylineCache() and invalidateTermCache() are preserved as no-op exports so callers don't break.

• #558 629fe1d Thanks @csfalcao! - Fixes /_emdash/api/search/suggest 500 error. getSuggestions no longer double-appends the FTS5 prefix operator * on top of the one escapeQuery already adds, so autocomplete queries like ?q=des now return results instead of raising SqliteError: fts5: syntax error near "*".

• #552 f52154d Thanks @masonjames! - Fixes passkey login failures so unregistered or invalid credentials return an authentication failure instead of an internal server error.

• #601 8221c2a Thanks @CacheMeOwside! - Fixes the Save Changes button on the Content Type editor failing silently with a 400 error

• #598 8fb93eb Thanks @maikunari! - Fixes WordPress import error reporting to surface the real exception message instead of a generic "Failed to import item" string, making import failures diagnosable.

• #629 6d7f288 Thanks @CacheMeOwside! - Adds toast feedback when taxonomy assignments are saved or fail on content items.

• #638 4ffa141 Thanks @auggernaut! - Fixes repeated FTS startup rebuilds on SQLite by verifying indexed row counts against the FTS shadow table.

• #582 04e6cca Thanks @all3f0r1! - Improves the "Failed to create database" error to detect NODE_MODULE_VERSION mismatches from better-sqlite3 and surface an actionable message telling the user to rebuild the native module.

• Updated dependencies [dfcb0cd, cf63b02, 0b32b2f, 913cb62, 6c92d58, a2d5afb, 39d285e, f52154d]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #552 f52154d Thanks @masonjames! - Fixes passkey login failures so unregistered or invalid credentials return an authentication failure instead of an internal server error.

Patch Changes

• Updated dependencies [ada4ac7, f279320, 7f75193, cfd01f3, 38d637b, 31d2f4e, 445b3bf, 943d540, 2cb3165, 1859347, 14c923b, c5ef0f5, f839381, 002d0ac, 0a61ef4, 6d41fe1, b158e40, f97d6ab, e67b940, 0896ec8, 629fe1d, f52154d, 8221c2a, 8fb93eb, 6d7f288, 4ffa141, 04e6cca, 9295cc1]:
  • [email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #605 445b3bf Thanks @ascorbic! - Fixes D1 read replicas being bypassed for anonymous public page traffic. The middleware fast path now asks the database adapter for a per-request scoped Kysely, so anonymous reads land on the nearest replica instead of the primary-pinned singleton binding.

  All D1-specific semantics (Sessions API, constraint selection, bookmark cookie) live in @emdash-cms/cloudflare/db/d1 behind a single createRequestScopedDb(opts) function. Core middleware has no D1-specific logic. Adapters opt in via a new supportsRequestScope: boolean flag on DatabaseDescriptor; d1() sets it to true.

  Other fixes in the same change:

  • Nested runWithContext calls in the request-context middleware now merge the parent context instead of replacing it, so an outer per-request db override is preserved through edit/preview flows.
  • Baseline security headers now forward Astro's cookie symbol across the response clone so cookies.set() calls in middleware survive.
  • Any write (authenticated or anonymous) now forces first-primary, so an anonymous form/comment POST isn't racing across replicas.
  • The session user is read once per request and reused in both the fast path and the full runtime init (previously read twice on authenticated public-page traffic).
  • Bookmark cookies are validated only for length (≤1024) and absence of control characters — no stricter shape check, so a future D1 bookmark format change won't silently degrade consistency.
  • The !config bail-out now still applies baseline security headers.
  • __ec_d1_bookmark references aligned to __em_d1_bookmark across runtime, docs, and JSDoc.

• #569 134f776 Thanks @Yusaku01! - Fixes the playground toolbar layout on small screens.

• #653 f97d6ab Thanks @ascorbic! - Adds opt-in query instrumentation for performance regression testing. Setting EMDASH_QUERY_LOG=1 causes the Kysely log hook to emit [emdash-query-log]-prefixed NDJSON on stdout for every DB query executed inside a request, tagged with the route, method, and an X-Perf-Phase header value. Zero runtime overhead when the flag is unset — the log option is only attached to Kysely when enabled.

  Also exposes the helpers at emdash/database/instrumentation so first-party adapters (e.g. @emdash-cms/cloudflare) can wire the same hook into their per-request Kysely instances.

• Updated dependencies [ada4ac7, f279320, 7f75193, cfd01f3, 38d637b, 31d2f4e, 445b3bf, 943d540, 2cb3165, 1859347, 14c923b, c5ef0f5, f839381, 002d0ac, 0a61ef4, 6d41fe1, b158e40, f97d6ab, e67b940, 0896ec8, 629fe1d, f52154d, 8221c2a, 8fb93eb, 6d7f288, 4ffa141, 04e6cca, 9295cc1]:

  • [email protected]

Minor Changes

• #565 913cb62 Thanks @ophirbucai! - Adds full RTL (right-to-left) support to the admin UI by converting all directional Tailwind classes to their direction-aware equivalents.

Patch Changes

• #610 dfcb0cd Thanks @drudge! - Passes plugin block definitions into the PortableTextEditor nested inside WidgetEditor, so custom plugin-registered block types (image blocks, marker blocks, etc.) can be inserted and rendered inside content-type widgets. The manifest is fetched with react-query in the top-level Widgets component, flattened into a PluginBlockDef[] list, and threaded through WidgetAreaPanel → WidgetItem → WidgetEditor.

• #568 cf63b02 Thanks @Vallhalen! - Fix document outline not showing headings on initial load. The outline now defers initial extraction to next tick (so TipTap finishes hydrating) and also listens for transaction events to catch programmatic content changes.

• #564 0b32b2f Thanks @ascorbic! - Replaces the horizontal language-switch button bar on the admin login page with a dropdown, so the selector stays usable as more locales are added.

• #592 6c92d58 Thanks @asdfgl98! - Adds Korean locale support to the admin UI.

• #559 a2d5afb Thanks @ayfl269! - Adds Chinese (Traditional) translation for the admin UI, including login page, settings page, and locale switching.

• #604 39d285e Thanks @all3f0r1! - Fixes loading spinner not centered under logo on the login page.

• Updated dependencies []:

  • @emdash-cms/[email protected]

Minor Changes

• #540 82c6345 Thanks @jdevalk! - Adds where: { status?, locale? } to ContentListOptions, letting plugins narrow ContentAccess.list() results at the database layer instead of filtering the returned array. The underlying repository already supports these filters — this PR only exposes them through the plugin-facing type.

• #551 598026c Thanks @ophirbucai! - Adds RTL (right-to-left) language support infrastructure. Enables proper text direction for RTL languages like Arabic, Hebrew, Farsi, and Urdu. Includes LocaleDirectionProvider component that syncs HTML dir/lang attributes with Kumo's DirectionProvider for automatic layout mirroring when locale changes.

Patch Changes

• #542 64f90d1 Thanks @mohamedmostafa58! - Fixes invite flow: corrects invite URL to point to admin UI page, adds InviteAcceptPage for passkey registration.

• #555 197bc1b Thanks @ascorbic! - Fixes OAuth authorization server metadata discovery for MCP clients by serving it at the RFC 8414-compliant path.

• #534 ce873f8 Thanks @ttmx! - Fixes Table block to render inline marks (bold, italic, code, links, etc.) through the Portable Text pipeline instead of stripping them to plain text. Links are sanitized via sanitizeHref(). Table styles now use CSS custom properties with fallbacks.

• Updated dependencies [9ea4cf7, 64f90d1, 598026c]:

  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #542 64f90d1 Thanks @mohamedmostafa58! - Fixes invite flow: corrects invite URL to point to admin UI page, adds InviteAcceptPage for passkey registration.

Minor Changes

• #551 598026c Thanks @ophirbucai! - Adds RTL (right-to-left) language support infrastructure. Enables proper text direction for RTL languages like Arabic, Hebrew, Farsi, and Urdu. Includes LocaleDirectionProvider component that syncs HTML dir/lang attributes with Kumo's DirectionProvider for automatic layout mirroring when locale changes.

Patch Changes

• #489 9ea4cf7 Thanks @all3f0r1! - Adds JSON field editor in admin UI content forms

• #542 64f90d1 Thanks @mohamedmostafa58! - Fixes invite flow: corrects invite URL to point to admin UI page, adds InviteAcceptPage for passkey registration.

• Updated dependencies []:

  • @emdash-cms/[email protected]

Patch Changes

• Updated dependencies [82c6345, 64f90d1, 598026c, 197bc1b, ce873f8]:
  • [email protected]
  • @emdash-cms/[email protected]

Patch Changes

• #543 7382c9d Thanks @ascorbic! - Fixes sandboxed plugin loading in Worker Loader by providing an emdash shim module

• Updated dependencies [82c6345, 64f90d1, 598026c, 197bc1b, ce873f8]:

  • [email protected]