fix: surface superstruct validation errors and normalize update-API paths

[drlukeangel]

Two related fixes for a single user-facing bug

Saving an entry that contains a markdoc field with a relative-path asset reference (e.g. ![](../../assets/blog/x.png)) fails with HTTP 400 and a body of literally "Bad data" — no path, no field, no schema hint.

The cause is two-fold, and this PR addresses both in one place because the second fix is hard to verify without the first.

1. fix(api): surface superstruct validation errors

packages/keystatic/src/api/api-node.ts

The update endpoint's try { s.create(...) } catch { ... } was returning a constant 'Bad data' string and discarding the StructError. That error contains .path, .type, .message, and .failures() — all of which were silently dropped.

This PR widens the catch to inspect the error. When it's a superstruct StructError, the response body becomes JSON:

{
  "error": "Bad data",
  "path": "deletions.0.path",
  "type": "string",
  "message": "Expected a value of type `string`, but received: ...",
  "failures": [
    { "path": ["deletions", 0, "path"], "type": "string", "refinement": "filepath", "message": "..." }
  ]
}

Non-StructError exceptions still return the bare 'Bad data' string (backwards-compatible with anyone reading the body as a plain string). content-type: application/json is set on the structured branch only, so clients can dispatch on the header.

2. fix(app): normalize update-API paths at the wire boundary

packages/keystatic/src/app/path-utils.ts, packages/keystatic/src/app/updating.tsx

The editor builds wire-format paths for asset additions/deletions as:

{basePath}/{slug}/{field}/{relative_asset_path}

For a markdoc body like ![](../../assets/blog/x.png) in src/content/blog/{slug}.mdoc, the wire path becomes:

src/content/blog/{slug}/content/../../assets/blog/x.png

That string was sent to the API verbatim. The API's getIsPathValid refinement rejects any path segment equal to .., so the schema validation fails on additions[].path or deletions[].path. Combined with fix #1 this is now diagnosable; without it the user sees only Bad data.

This PR adds a small POSIX-style path normalizer (normalizePosixPath) and applies it at the two fetch('/api/keystatic/update', { ... }) sites in useUpsertItem and useDeleteItem. Normalization happens at the wire boundary only, so the upstream diff math (additions vs initialFiles to derive deletions) continues to run on the raw, unnormalized paths and the symmetric cancellation between them is preserved. Only the final JSON sent over the wire has .. segments resolved.

Tests

packages/keystatic/src/app/path-utils.test.ts covers:

• Single .. resolution
• Consecutive ..
• . segment removal
• Consecutive / collapse
• Leading .. preservation when there is no parent to resolve against
• Absolute-root behavior (/../a → /a)
• Already-clean relative and absolute paths
• The realistic Keystatic update case from this bug

Why one PR

Fix #1 is unambiguously good. Fix #2 fixes the user-visible failure but is meaningfully easier to review together with #1, because #1 is the diagnostic that makes the failure shape obvious in the first place. Splitting them risks #2 looking arbitrary without the context #1 provides.

Happy to revise the response shape, the location of the normalizer (path-utils.ts vs inline), the test layout, or anything else.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 10b0725

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR