@glw907/cairn-cms 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Geoff Wright
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,48 @@
+# cairn-cms
+
+An embedded, **magic-link**, GitHub-committing CMS for SvelteKit + Cloudflare sites.
+Non-technical authors log in by email (no GitHub account, no password), edit **raw
+markdown** in a [Carta](https://github.com/BearToCode/carta) editor, and save — which
+commits to `main` via a **GitHub App** (committer = `cairn-cms[bot]`, author = the editor)
+and auto-deploys.
+
+It is **design-agnostic**: each consumer site supplies an adapter (collections, slug
+convention, frontmatter schema, and its own `renderPreview(md)`), so the same engine drives
+sites with completely different markdown pipelines — e.g. [ecnordic.ski](https://ecnordic.ski)
+(remark→rehype directive pipeline) and [907.life](https://907.life) (plain `remark-html`).
+
+## Status
+
+**Early (`0.1.x`) — works, API not yet frozen.** The core was built *inside ecnordic.ski first*
+(the richer proving ground) with the cairn-core ↔ site-adapter seams designed in from day one,
+then extracted into this package and validated on a second design (907.life). The auth, GitHub
+commit path, Carta preview, the adapter contract, and the shared admin shell (`/sveltekit`
+server logic + `/components` Svelte UI) all run on both sites. The adapter API may still change
+before `1.0` (pending a forward-compatibility review) — pin a caret range and expect 0.x churn.
+
+## Install
+
+```sh
+npm install @glw907/cairn-cms
+```
+
+Peers: `svelte@^5`, `@sveltejs/kit@^2`, and `carta-md@^4.11` (the editor component). Each site
+implements a `CairnAdapter` (see `docs/PLAN.md`) and mounts thin `/admin` route shims around
+`@glw907/cairn-cms/sveltekit` (server logic) and `@glw907/cairn-cms/components` (the admin UI).
+
+## How it's developed
+
+This repo lives in a dev meta-workspace alongside its consumer sites:
+
+```
+~/Projects/cairn/                 # npm workspace root (not a git repo)
+  cairn-cms/        ← this repo
+  ecnordic-ski/     ← consumer (first proving ground)
+  907-life/         ← consumer (second design, validates the abstraction)
+```
+
+npm workspaces symlink `cairn-cms` into each site's `node_modules` for zero-publish local
+dev. In CI, each site pins a published version so deploys stay reproducible.
+
+See **`docs/PLAN.md`** for the full architecture, locked decisions, phased passes, and
+risk register.

package/dist/adapter.d.ts

@@ -0,0 +1,60 @@
+import type { PreviewPlugins } from './carta';
+import type { RepoRef } from './github';
+interface FieldBase {
+    /** Frontmatter key and form input name. */
+    name: string;
+    label: string;
+    required?: boolean;
+}
+export interface TextField extends FieldBase {
+    type: 'text';
+}
+export interface DateField extends FieldBase {
+    type: 'date';
+}
+export interface TextareaField extends FieldBase {
+    type: 'textarea';
+    rows?: number;
+}
+export interface BooleanField extends FieldBase {
+    type: 'boolean';
+}
+export interface TagsField extends FieldBase {
+    type: 'tags';
+    /** Controlled vocabulary rendered as checkboxes. */
+    options: readonly string[];
+}
+export interface FreeTagsField extends FieldBase {
+    type: 'freetags';
+    /** Free-form tags, edited as one comma-separated text input (no controlled vocabulary). */
+    placeholder?: string;
+}
+export type CairnField = TextField | DateField | TextareaField | BooleanField | TagsField | FreeTagsField;
+export interface CairnCollection {
+    /** Route `[type]` segment and list key, e.g. `posts`. */
+    type: string;
+    label: string;
+    /** Repo-relative folder holding the collection's markdown files. */
+    dir: string;
+    /** Editor form fields, rendered in order. */
+    fields: CairnField[];
+    /** Validate raw frontmatter (from the form) into the on-disk object, throwing on error. */
+    validate(data: Record<string, unknown>, source: string): object;
+}
+export interface CairnAdapter {
+    /** Branding + magic-link email copy. */
+    siteName: string;
+    /** From: address for magic-link email — a domain-authenticated sender. */
+    sender: string;
+    /** The repository the admin reads content from and commits to. */
+    backend: RepoRef;
+    /** Site plugin set for the Carta preview (parity with the live render). */
+    preview: PreviewPlugins;
+    collections: CairnCollection[];
+}
+/** Look up a collection by its route segment, or undefined if the segment is unknown. */
+export declare function findCollection(adapter: CairnAdapter, type: string): CairnCollection | undefined;
+/** Read raw frontmatter from a submitted form, decoding each value per its field type. */
+export declare function frontmatterFromForm(collection: CairnCollection, form: FormData): Record<string, unknown>;
+export {};
+//# sourceMappingURL=adapter.d.ts.map

package/dist/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/lib/adapter.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAExC,UAAU,SAAS;IACjB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,IAAI,EAAE,SAAS,CAAC;CACjB;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,2FAA2F;IAC3F,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,aAAa,GACb,YAAY,GACZ,SAAS,GACT,aAAa,CAAC;AAElB,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;IACZ,6CAA6C;IAC7C,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CACjE;AAED,MAAM,WAAW,YAAY;IAC3B,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,0EAA0E;IAC1E,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,eAAe,EAAE,CAAC;CAChC;AAED,yFAAyF;AACzF,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAE/F;AAED,0FAA0F;AAC1F,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,eAAe,EAC3B,IAAI,EAAE,QAAQ,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA0BzB"}

package/dist/adapter.js

@@ -0,0 +1,30 @@
+/** Look up a collection by its route segment, or undefined if the segment is unknown. */
+export function findCollection(adapter, type) {
+    return adapter.collections.find((collection) => collection.type === type);
+}
+/** Read raw frontmatter from a submitted form, decoding each value per its field type. */
+export function frontmatterFromForm(collection, form) {
+    const data = {};
+    for (const field of collection.fields) {
+        switch (field.type) {
+            case 'boolean':
+                data[field.name] = form.get(field.name) === 'on';
+                break;
+            case 'tags':
+                data[field.name] = form.getAll(field.name).map(String);
+                break;
+            case 'freetags':
+                // One comma-separated input → trimmed, de-duplicated, non-empty tags.
+                data[field.name] = [
+                    ...new Set(String(form.get(field.name) ?? '')
+                        .split(',')
+                        .map((tag) => tag.trim())
+                        .filter(Boolean)),
+                ];
+                break;
+            default:
+                data[field.name] = form.get(field.name);
+        }
+    }
+    return data;
+}

package/dist/auth.d.ts

@@ -0,0 +1,16 @@
+import type { KVNamespace } from '@cloudflare/workers-types';
+export interface Editor {
+    email: string;
+    name: string;
+}
+export declare const SESSION_COOKIE = "cairn_session";
+export declare const SESSION_MAX_AGE: number;
+/** Issue a single-use magic-link token and register its nonce in KV with a TTL. */
+export declare function createMagicLink(email: string, secret: string, kv: KVNamespace): Promise<string>;
+/** Redeem a magic-link token: verify, check expiry, then consume the KV nonce (single use). */
+export declare function redeemMagicToken(token: string, secret: string, kv: KVNamespace): Promise<string | null>;
+export declare function createSession(editor: Editor, secret: string): Promise<string>;
+export declare function verifySession(token: string, secret: string): Promise<Editor | null>;
+/** Look up an editor in the KV allowlist (`editor:<email>` → display name). */
+export declare function lookupEditor(email: string, kv: KVNamespace): Promise<Editor | null>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAG7D,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd;AAED,eAAO,MAAM,cAAc,kBAAkB,CAAC;AAK9C,eAAO,MAAM,eAAe,QAAsB,CAAC;AA8DnD,mFAAmF;AACnF,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED,+FAA+F;AAC/F,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAOxB;AAMD,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnF;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAIzF;AAED,+EAA+E;AAC/E,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF"}

package/dist/auth.js

@@ -0,0 +1,93 @@
+// cairn-core: magic-link auth + signed sessions.
+//
+// Generic across sites — no ecnordic specifics here. Crypto is Web Crypto (HMAC-SHA256)
+// so it runs unchanged on Cloudflare Workers under nodejs_compat. Single-use enforcement
+// for magic links rides on a KV nonce; signature + expiry are self-contained in the token.
+import { bytesToB64url } from './utils';
+export const SESSION_COOKIE = 'cairn_session';
+const MAGIC_TTL_SECONDS = 600; // 10 minutes
+const SESSION_TTL_SECONDS = 60 * 60 * 24 * 7; // 7 days
+export const SESSION_MAX_AGE = SESSION_TTL_SECONDS;
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+function b64urlToBytes(value) {
+    const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+    const padded = normalized + '='.repeat((4 - (normalized.length % 4)) % 4);
+    return Uint8Array.from(atob(padded), (c) => c.charCodeAt(0));
+}
+// TextEncoder/atob produce Uint8Arrays whose generic buffer type no longer satisfies
+// Web Crypto's BufferSource under strict lib types; hand the underlying ArrayBuffer over.
+function buf(bytes) {
+    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+}
+async function hmacKey(secret) {
+    return crypto.subtle.importKey('raw', buf(encoder.encode(secret)), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign', 'verify']);
+}
+/** Sign an arbitrary JSON payload as `<base64url(payload)>.<base64url(hmac)>`. */
+async function signToken(data, secret) {
+    const payload = bytesToB64url(encoder.encode(JSON.stringify(data)));
+    const key = await hmacKey(secret);
+    const sig = await crypto.subtle.sign('HMAC', key, buf(encoder.encode(payload)));
+    return `${payload}.${bytesToB64url(new Uint8Array(sig))}`;
+}
+/** Verify signature (constant-time via subtle.verify) and parse the payload, or null. */
+async function verifyToken(token, secret) {
+    const dot = token.indexOf('.');
+    if (dot < 0)
+        return null;
+    const payload = token.slice(0, dot);
+    const sig = token.slice(dot + 1);
+    const key = await hmacKey(secret);
+    let ok = false;
+    try {
+        ok = await crypto.subtle.verify('HMAC', key, buf(b64urlToBytes(sig)), buf(encoder.encode(payload)));
+    }
+    catch {
+        return null;
+    }
+    if (!ok)
+        return null;
+    try {
+        return JSON.parse(decoder.decode(b64urlToBytes(payload)));
+    }
+    catch {
+        return null;
+    }
+}
+/** Issue a single-use magic-link token and register its nonce in KV with a TTL. */
+export async function createMagicLink(email, secret, kv) {
+    const nonce = bytesToB64url(crypto.getRandomValues(new Uint8Array(16)));
+    const exp = Date.now() + MAGIC_TTL_SECONDS * 1000;
+    const token = await signToken({ email, exp, nonce }, secret);
+    await kv.put(`ml:${nonce}`, email, { expirationTtl: MAGIC_TTL_SECONDS });
+    return token;
+}
+/** Redeem a magic-link token: verify, check expiry, then consume the KV nonce (single use). */
+export async function redeemMagicToken(token, secret, kv) {
+    const payload = await verifyToken(token, secret);
+    if (!payload || Date.now() > payload.exp)
+        return null;
+    const stored = await kv.get(`ml:${payload.nonce}`);
+    if (stored !== payload.email)
+        return null;
+    await kv.delete(`ml:${payload.nonce}`); // burn it — single use
+    return payload.email;
+}
+export async function createSession(editor, secret) {
+    const exp = Date.now() + SESSION_TTL_SECONDS * 1000;
+    return signToken({ ...editor, exp }, secret);
+}
+export async function verifySession(token, secret) {
+    const payload = await verifyToken(token, secret);
+    if (!payload || Date.now() > payload.exp)
+        return null;
+    return { email: payload.email, name: payload.name };
+}
+/** Look up an editor in the KV allowlist (`editor:<email>` → display name). */
+export async function lookupEditor(email, kv) {
+    const normalized = email.trim().toLowerCase();
+    const name = await kv.get(`editor:${normalized}`);
+    if (name === null)
+        return null;
+    return { email: normalized, name };
+}

package/dist/carta.d.ts

@@ -0,0 +1,39 @@
+import type { Pluggable, Processor } from 'unified';
+export interface PreviewPlugins {
+    /** remark plugins, injected after gfm and before remark-rehype. */
+    remarkPlugins: Pluggable[];
+    /** rehype plugins, injected after remark-rehype. */
+    rehypePlugins: Pluggable[];
+}
+interface PreviewTransformer {
+    execution: 'sync';
+    type: 'remark' | 'rehype';
+    transform: (ctx: {
+        processor: Processor;
+    }) => void;
+}
+/**
+ * Map the site's plugin set to Carta sync transformers, remark phase before rehype.
+ * Carta's processor is remarkParse → gfm → [remark] → remark-rehype → [rehype] → stringify,
+ * so this ordering reproduces render.ts exactly. Pure (no Carta) so it is unit-testable.
+ */
+export declare function previewTransformers({ remarkPlugins, rehypePlugins }: PreviewPlugins): PreviewTransformer[];
+/** Minimal Options subset we populate — avoids importing carta-md (Svelte re-exports). */
+interface PreviewCartaOptions {
+    sanitizer: false;
+    rehypeOptions: {
+        allowDangerousHtml: boolean;
+    };
+    extensions: Array<{
+        transformers: PreviewTransformer[];
+    }>;
+}
+/**
+ * Carta options for a render-only preview: site plugins wired in, raw HTML allowed, no
+ * sanitizer. Authors are trusted and the directive pipeline emits intentional raw HTML
+ * (render.ts uses allowDangerousHtml + rehype-raw); sanitizing here would strip EC
+ * primitives. The Svelte component passes this to `new Carta(...)`.
+ */
+export declare function previewCartaOptions(plugins: PreviewPlugins): PreviewCartaOptions;
+export {};
+//# sourceMappingURL=carta.d.ts.map

package/dist/carta.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"carta.d.ts","sourceRoot":"","sources":["../src/lib/carta.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEpD,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,aAAa,EAAE,SAAS,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,SAAS,EAAE,CAAC;CAC5B;AAED,UAAU,kBAAkB;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC1B,SAAS,EAAE,CAAC,GAAG,EAAE;QAAE,SAAS,EAAE,SAAS,CAAA;KAAE,KAAK,IAAI,CAAC;CACpD;AAYD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,EAAE,cAAc,GAAG,kBAAkB,EAAE,CAE1G;AAED,0FAA0F;AAC1F,UAAU,mBAAmB;IAC3B,SAAS,EAAE,KAAK,CAAC;IACjB,aAAa,EAAE;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/C,UAAU,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;KAAE,CAAC,CAAC;CAC3D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,mBAAmB,CAMhF"}

package/dist/carta.js

@@ -0,0 +1,30 @@
+function phase(plugins, type) {
+    return plugins.map((plugin) => ({
+        execution: 'sync',
+        type,
+        transform: ({ processor }) => {
+            processor.use([plugin]);
+        },
+    }));
+}
+/**
+ * Map the site's plugin set to Carta sync transformers, remark phase before rehype.
+ * Carta's processor is remarkParse → gfm → [remark] → remark-rehype → [rehype] → stringify,
+ * so this ordering reproduces render.ts exactly. Pure (no Carta) so it is unit-testable.
+ */
+export function previewTransformers({ remarkPlugins, rehypePlugins }) {
+    return [...phase(remarkPlugins, 'remark'), ...phase(rehypePlugins, 'rehype')];
+}
+/**
+ * Carta options for a render-only preview: site plugins wired in, raw HTML allowed, no
+ * sanitizer. Authors are trusted and the directive pipeline emits intentional raw HTML
+ * (render.ts uses allowDangerousHtml + rehype-raw); sanitizing here would strip EC
+ * primitives. The Svelte component passes this to `new Carta(...)`.
+ */
+export function previewCartaOptions(plugins) {
+    return {
+        sanitizer: false,
+        rehypeOptions: { allowDangerousHtml: true },
+        extensions: [{ transformers: previewTransformers(plugins) }],
+    };
+}

package/dist/components/AdminLayout.svelte

@@ -0,0 +1,18 @@
+<script lang="ts">
+  // Neutral admin chrome — robots noindex + a centered container, scoped to /admin. Shared
+  // across sites so the admin tool looks identical everywhere (only siteName, supplied by
+  // pages, varies). Each site's `admin/+layout.svelte` is a one-line shim around this.
+  import type { Snippet } from 'svelte';
+
+  let { children }: { children: Snippet } = $props();
+</script>
+
+<svelte:head>
+  <meta name="robots" content="noindex, nofollow" />
+</svelte:head>
+
+<div class="min-h-screen bg-base-200" data-pagefind-ignore>
+  <div class="mx-auto max-w-3xl px-4 py-8">
+    {@render children()}
+  </div>
+</div>

package/dist/components/AdminLayout.svelte.d.ts

@@ -0,0 +1,8 @@
+import type { Snippet } from 'svelte';
+type $$ComponentProps = {
+    children: Snippet;
+};
+declare const AdminLayout: import("svelte").Component<$$ComponentProps, {}, "">;
+type AdminLayout = ReturnType<typeof AdminLayout>;
+export default AdminLayout;
+//# sourceMappingURL=AdminLayout.svelte.d.ts.map

package/dist/components/AdminLayout.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAErC,KAAK,gBAAgB,GAAI;IAAE,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC;AAsBhD,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/AdminList.svelte

@@ -0,0 +1,41 @@
+<script lang="ts">
+  // The /admin content list: every collection's files, linking into the editor. Data comes
+  // from `adminListLoad` (collections) merged with `adminLayoutLoad` (editor, siteName).
+  import type { Editor } from '../auth';
+  import type { AdminCollectionList } from '../sveltekit';
+
+  interface Props {
+    data: { siteName: string; editor: Editor | null; collections: AdminCollectionList[] };
+  }
+  let { data }: Props = $props();
+</script>
+
+<div class="flex items-center justify-between">
+  <h1 class="text-2xl font-bold">{data.siteName} CMS</h1>
+  <form method="POST" action="/admin/auth/logout">
+    <button type="submit" class="btn btn-ghost btn-sm">Sign out</button>
+  </form>
+</div>
+
+<p class="mt-2 text-sm opacity-70">
+  Signed in as {data.editor?.name} ({data.editor?.email})
+</p>
+
+{#each data.collections as collection (collection.type)}
+  <section class="mt-8">
+    <h2 class="mb-3 text-lg font-semibold">{collection.label}</h2>
+    {#if collection.error}
+      <div class="alert alert-warning">Couldn't load {collection.label.toLowerCase()}: {collection.error}</div>
+    {:else if collection.files.length === 0}
+      <p class="opacity-60">No content yet.</p>
+    {:else}
+      <ul class="menu rounded-box border border-base-300 bg-base-100 p-2">
+        {#each collection.files as file (file.path)}
+          <li>
+            <a href="/admin/edit/{collection.type}/{file.id}">{file.id}</a>
+          </li>
+        {/each}
+      </ul>
+    {/if}
+  </section>
+{/each}

package/dist/components/AdminList.svelte.d.ts

@@ -0,0 +1,13 @@
+import type { Editor } from '../auth';
+import type { AdminCollectionList } from '../sveltekit';
+interface Props {
+    data: {
+        siteName: string;
+        editor: Editor | null;
+        collections: AdminCollectionList[];
+    };
+}
+declare const AdminList: import("svelte").Component<Props, {}, "">;
+type AdminList = ReturnType<typeof AdminList>;
+export default AdminList;
+//# sourceMappingURL=AdminList.svelte.d.ts.map

package/dist/components/AdminList.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AdminList.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminList.svelte.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACtC,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAGtD,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,WAAW,EAAE,mBAAmB,EAAE,CAAA;KAAE,CAAC;CACvF;AA0CH,QAAA,MAAM,SAAS,2CAAwC,CAAC;AACxD,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;AAC9C,eAAe,SAAS,CAAC"}

package/dist/components/EditPage.svelte

@@ -0,0 +1,125 @@
+<script lang="ts">
+  // The editor: a per-field frontmatter form (driven by the adapter's `fields`) plus a Carta
+  // markdown editor whose preview runs the site's plugin set (passed as `preview`). Data comes
+  // from `editLoad` merged with `adminLayoutLoad` (siteName); `carta-md` is a peer dependency.
+  import { onMount } from 'svelte';
+  import { Carta, MarkdownEditor } from 'carta-md';
+  import 'carta-md/default.css';
+  import { previewCartaOptions, type PreviewPlugins } from '../carta';
+  import type { CairnField } from '../adapter';
+  import type { EditData } from '../sveltekit';
+
+  let { data, preview }: { data: EditData & { siteName: string }; preview: PreviewPlugins } = $props();
+
+  // Body is editable state; the Carta editor's preview runs the exact site plugin set, so it
+  // matches the live page. A hidden input carries the current value into the form.
+  // svelte-ignore state_referenced_locally — seeding from the initial load is intended.
+  let body = $state(data.body);
+
+  // svelte-ignore state_referenced_locally — the preview plugin set is fixed for the load.
+  const carta = new Carta(previewCartaOptions(preview));
+
+  // Carta's MarkdownEditor must not render on the worker (it pulls Shiki). onMount fires only
+  // in the browser, so SSR renders the plain textarea and the client swaps in the editor —
+  // the kit-free equivalent of the per-site route's `$app/environment` `browser` guard.
+  let mounted = $state(false);
+  onMount(() => {
+    mounted = true;
+  });
+
+  // svelte-ignore state_referenced_locally — form defaults from the initial load.
+  const fm = data.frontmatter as Record<string, unknown>;
+
+  function fmString(key: string): string {
+    return typeof fm[key] === 'string' ? (fm[key] as string) : '';
+  }
+  function fmTags(key: string): Set<string> {
+    return new Set(Array.isArray(fm[key]) ? (fm[key] as unknown[]).map(String) : []);
+  }
+  function fmFreeTags(key: string): string {
+    return Array.isArray(fm[key]) ? (fm[key] as unknown[]).map(String).join(', ') : '';
+  }
+</script>
+
+<svelte:head>
+  <title>Edit {data.title} · {data.siteName} CMS</title>
+</svelte:head>
+
+<div class="flex items-center justify-between gap-4">
+  <div>
+    <a href="/admin" class="text-sm opacity-70 hover:underline">← Back</a>
+    <h1 class="mt-1 text-2xl font-bold">{data.title}</h1>
+    <p class="text-sm opacity-60">{data.label} · {data.path}</p>
+  </div>
+</div>
+
+{#if data.saved}
+  <div class="alert alert-success mt-6"><span>Saved — committed to main; the site will redeploy.</span></div>
+{:else if data.error}
+  <div class="alert alert-error mt-6"><span>{data.error}</span></div>
+{/if}
+
+<form method="POST" action="/admin/save" class="mt-6 flex flex-col gap-5">
+  <input type="hidden" name="type" value={data.type} />
+  <input type="hidden" name="id" value={data.id} />
+
+  <fieldset class="grid gap-4 rounded-box border border-base-300 bg-base-100 p-6">
+    {#each data.fields as field (field.name)}
+      {#if field.type === 'text' || field.type === 'date'}
+        <label class="flex flex-col gap-1">
+          <span class="text-sm font-medium">{field.label}</span>
+          <input
+            type={field.type === 'date' ? 'date' : 'text'}
+            name={field.name}
+            required={field.required}
+            value={fmString(field.name)}
+            class="input input-bordered w-full"
+          />
+        </label>
+      {:else if field.type === 'textarea'}
+        <label class="flex flex-col gap-1">
+          <span class="text-sm font-medium">{field.label}</span>
+          <textarea name={field.name} required={field.required} rows={field.rows ?? 4}
+            class="textarea textarea-bordered w-full">{fmString(field.name)}</textarea>
+        </label>
+      {:else if field.type === 'tags'}
+        <div class="flex flex-col gap-1">
+          <span class="text-sm font-medium">{field.label}</span>
+          <div class="flex flex-wrap gap-3">
+            {#each field.options as option (option)}
+              <label class="flex items-center gap-2 text-sm">
+                <input type="checkbox" name={field.name} value={option}
+                  checked={fmTags(field.name).has(option)} class="checkbox checkbox-sm" />
+                {option}
+              </label>
+            {/each}
+          </div>
+        </div>
+      {:else if field.type === 'freetags'}
+        <label class="flex flex-col gap-1">
+          <span class="text-sm font-medium">{field.label}</span>
+          <input type="text" name={field.name} value={fmFreeTags(field.name)}
+            placeholder={field.placeholder ?? 'comma, separated'} class="input input-bordered w-full" />
+        </label>
+      {:else if field.type === 'boolean'}
+        <label class="flex items-center gap-2 text-sm font-medium">
+          <input type="checkbox" name={field.name} checked={fm[field.name] === true} class="checkbox checkbox-sm" />
+          {field.label}
+        </label>
+      {/if}
+    {/each}
+  </fieldset>
+
+  <div class="rounded-box border border-base-300 bg-base-100 p-2">
+    <input type="hidden" name="body" value={body} />
+    {#if mounted}
+      <MarkdownEditor {carta} bind:value={body} mode="tabs" />
+    {:else}
+      <textarea bind:value={body} rows="20" class="textarea textarea-bordered w-full font-mono"></textarea>
+    {/if}
+  </div>
+
+  <div class="flex justify-end">
+    <button type="submit" class="btn btn-primary">Save &amp; commit</button>
+  </div>
+</form>

package/dist/components/EditPage.svelte.d.ts

@@ -0,0 +1,13 @@
+import 'carta-md/default.css';
+import { type PreviewPlugins } from '../carta';
+import type { EditData } from '../sveltekit';
+type $$ComponentProps = {
+    data: EditData & {
+        siteName: string;
+    };
+    preview: PreviewPlugins;
+};
+declare const EditPage: import("svelte").Component<$$ComponentProps, {}, "">;
+type EditPage = ReturnType<typeof EditPage>;
+export default EditPage;
+//# sourceMappingURL=EditPage.svelte.d.ts.map

package/dist/components/EditPage.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"EditPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/EditPage.svelte.ts"],"names":[],"mappings":"AAQA,OAAO,sBAAsB,CAAC;AAC9B,OAAO,EAAuB,KAAK,cAAc,EAAE,MAAM,UAAU,CAAC;AAEpE,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAE5C,KAAK,gBAAgB,GAAI;IAAE,IAAI,EAAE,QAAQ,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAAC,OAAO,EAAE,cAAc,CAAA;CAAE,CAAC;AAwH7F,QAAA,MAAM,QAAQ,sDAAwC,CAAC;AACvD,KAAK,QAAQ,GAAG,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC;AAC5C,eAAe,QAAQ,CAAC"}

package/dist/components/LoginPage.svelte

@@ -0,0 +1,47 @@
+<script lang="ts">
+  // The magic-link sign-in page. Posts the email to /admin/auth/request; `sent`/`error` come
+  // from `loginLoad` (querystring) merged with `adminLayoutLoad` (siteName).
+  interface Props {
+    data: { siteName: string; sent: boolean; error: string | null };
+  }
+  let { data }: Props = $props();
+
+  const errorMessages: Record<string, string> = {
+    invalid: 'Please enter a valid email address.',
+    denied: 'That email is not on the editor allowlist.',
+    expired: 'That sign-in link has expired or was already used. Request a new one.',
+    config: 'Sign-in is not configured. Contact the site admin.',
+  };
+</script>
+
+<svelte:head>
+  <title>Sign in · {data.siteName} CMS</title>
+</svelte:head>
+
+<div class="mx-auto mt-16 max-w-md rounded-box border border-base-300 bg-base-100 p-8">
+  <h1 class="text-2xl font-bold">{data.siteName} CMS</h1>
+  <p class="mt-1 text-sm opacity-70">Sign in with your editor email.</p>
+
+  {#if data.sent}
+    <div class="alert alert-success mt-6">
+      <span>Check your inbox — a sign-in link is on its way. It expires in 10 minutes.</span>
+    </div>
+  {:else}
+    {#if data.error}
+      <div class="alert alert-error mt-6">
+        <span>{errorMessages[data.error] ?? 'Something went wrong. Try again.'}</span>
+      </div>
+    {/if}
+    <form method="POST" action="/admin/auth/request" class="mt-6 flex flex-col gap-3">
+      <input
+        type="email"
+        name="email"
+        required
+        autocomplete="email"
+        placeholder="you@example.com"
+        class="input input-bordered w-full"
+      />
+      <button type="submit" class="btn btn-primary">Email me a sign-in link</button>
+    </form>
+  {/if}
+</div>

package/dist/components/LoginPage.svelte.d.ts

@@ -0,0 +1,11 @@
+interface Props {
+    data: {
+        siteName: string;
+        sent: boolean;
+        error: string | null;
+    };
+}
+declare const LoginPage: import("svelte").Component<Props, {}, "">;
+type LoginPage = ReturnType<typeof LoginPage>;
+export default LoginPage;
+//# sourceMappingURL=LoginPage.svelte.d.ts.map