@glw907/cairn-cms 0.1.0 → 0.3.0

package/dist/auth.d.ts

@@ -1,7 +1,10 @@
 import type { KVNamespace } from '@cloudflare/workers-types';
+/** Two-tier, per-site role. `owner`s manage the editor allowlist; `editor`s only edit content. */
+export type Role = 'owner' | 'editor';
 export interface Editor {
     email: string;
     name: string;
+    role: Role;
 }
 export declare const SESSION_COOKIE = "cairn_session";
 export declare const SESSION_MAX_AGE: number;
@@ -11,6 +14,12 @@ export declare function createMagicLink(email: string, secret: string, kv: KVNam
 export declare function redeemMagicToken(token: string, secret: string, kv: KVNamespace): Promise<string | null>;
 export declare function createSession(editor: Editor, secret: string): Promise<string>;
 export declare function verifySession(token: string, secret: string): Promise<Editor | null>;
-/** Look up an editor in the KV allowlist (`editor:<email>` → display name). */
+/** Look up an editor in the KV allowlist (`editor:<email>` → `{name, role}`). */
 export declare function lookupEditor(email: string, kv: KVNamespace): Promise<Editor | null>;
+/** Every allowlisted editor, sorted by email — the manage-admins list. */
+export declare function listEditors(kv: KVNamespace): Promise<Editor[]>;
+/** Add or update an allowlist entry (JSON value). Email is normalized. */
+export declare function setEditor(email: string, name: string, role: Role, kv: KVNamespace): Promise<void>;
+/** Remove an allowlist entry. */
+export declare function removeEditor(email: string, kv: KVNamespace): Promise<void>;
 //# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAG7D,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd;AAED,eAAO,MAAM,cAAc,kBAAkB,CAAC;AAK9C,eAAO,MAAM,eAAe,QAAsB,CAAC;AA8DnD,mFAAmF;AACnF,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED,+FAA+F;AAC/F,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAOxB;AAMD,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnF;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAIzF;AAED,+EAA+E;AAC/E,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAG7D,kGAAkG;AAClG,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEtC,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,eAAO,MAAM,cAAc,kBAAkB,CAAC;AAK9C,eAAO,MAAM,eAAe,QAAsB,CAAC;AA8DnD,mFAAmF;AACnF,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED,+FAA+F;AAC/F,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAOxB;AAMD,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnF;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF;AAyBD,iFAAiF;AACjF,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF;AAED,0EAA0E;AAC1E,wBAAsB,WAAW,CAAC,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CASpE;AAED,0EAA0E;AAC1E,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,IAAI,EACV,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,IAAI,CAAC,CAEf;AAED,iCAAiC;AACjC,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAEhF"}

package/dist/auth.js

@@ -81,13 +81,52 @@ export async function verifySession(token, secret) {
     const payload = await verifyToken(token, secret);
     if (!payload || Date.now() > payload.exp)
         return null;
-    return { email: payload.email, name: payload.name };
+    // Sessions signed before roles existed carry no `role` — treat them as plain editors.
+    return { email: payload.email, name: payload.name, role: payload.role ?? 'editor' };
 }
-/** Look up an editor in the KV allowlist (`editor:<email>` → display name). */
+const KEY_PREFIX = 'editor:';
+/**
+ * Decode a stored allowlist value into name + role. Current entries are JSON
+ * (`{"name","role"}`); legacy entries are a bare display-name string, read as `editor`
+ * so the allowlist migrates lazily — re-saving an entry upgrades it to the JSON shape.
+ */
+function parseEditorValue(raw) {
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed.name === 'string') {
+            return { name: parsed.name, role: parsed.role === 'owner' ? 'owner' : 'editor' };
+        }
+    }
+    catch {
+        // Not JSON — legacy bare display-name; treat as editor.
+    }
+    return { name: raw, role: 'editor' };
+}
+function serializeEditorValue(name, role) {
+    return JSON.stringify({ name, role });
+}
+/** Look up an editor in the KV allowlist (`editor:<email>` → `{name, role}`). */
 export async function lookupEditor(email, kv) {
     const normalized = email.trim().toLowerCase();
-    const name = await kv.get(`editor:${normalized}`);
-    if (name === null)
+    const raw = await kv.get(`${KEY_PREFIX}${normalized}`);
+    if (raw === null)
         return null;
-    return { email: normalized, name };
+    return { email: normalized, ...parseEditorValue(raw) };
+}
+/** Every allowlisted editor, sorted by email — the manage-admins list. */
+export async function listEditors(kv) {
+    const { keys } = await kv.list({ prefix: KEY_PREFIX });
+    const editors = await Promise.all(keys.map(async ({ name: key }) => {
+        const raw = (await kv.get(key)) ?? '';
+        return { email: key.slice(KEY_PREFIX.length), ...parseEditorValue(raw) };
+    }));
+    return editors.sort((a, b) => a.email.localeCompare(b.email));
+}
+/** Add or update an allowlist entry (JSON value). Email is normalized. */
+export async function setEditor(email, name, role, kv) {
+    await kv.put(`${KEY_PREFIX}${email.trim().toLowerCase()}`, serializeEditorValue(name, role));
+}
+/** Remove an allowlist entry. */
+export async function removeEditor(email, kv) {
+    await kv.delete(`${KEY_PREFIX}${email.trim().toLowerCase()}`);
 }

package/dist/components/AdminLayout.svelte

@@ -1,18 +1,130 @@
 <script lang="ts">
-  // Neutral admin chrome — robots noindex + a centered container, scoped to /admin. Shared
-  // across sites so the admin tool looks identical everywhere (only siteName, supplied by
-  // pages, varies). Each site's `admin/+layout.svelte` is a one-line shim around this.
+  // Neutral admin chrome, shared across sites so the tool looks identical everywhere (only the
+  // adapter's siteName varies). When signed in it's a responsive DaisyUI drawer+navbar shell
+  // (`drawer lg:drawer-open` — sidebar pinned on desktop, slide-over + hamburger on mobile),
+  // patterned on scosman/CMSaasStarter's `(admin)/(menu)` layout. The nav is data-driven and
+  // role-gated, so a new surface is one entry in `nav` (plus its route + component). Signed out
+  // (the login page lives under this layout) it falls back to a minimal centered shell.
+  // Each site's `admin/+layout.svelte` is a one-line shim that forwards `data` + `children`.
   import type { Snippet } from 'svelte';
+  import type { Editor } from '../auth';
 
-  let { children }: { children: Snippet } = $props();
+  let {
+    data,
+    children,
+  }: {
+    data: { siteName: string; editor: Editor | null; pathname: string };
+    children: Snippet;
+  } = $props();
+
+  interface NavItem {
+    href: string;
+    label: string;
+    icon: Snippet;
+    active: boolean;
+    /** Owner-only surface — hidden from regular editors. */
+    owner?: boolean;
+  }
+
+  const nav = $derived<NavItem[]>([
+    {
+      href: '/admin',
+      label: 'Content',
+      icon: contentIcon,
+      active: data.pathname === '/admin' || data.pathname.startsWith('/admin/edit'),
+    },
+    {
+      href: '/admin/admins',
+      label: 'Editors',
+      icon: editorsIcon,
+      owner: true,
+      active: data.pathname.startsWith('/admin/admins'),
+    },
+  ]);
+  const visibleNav = $derived(nav.filter((item) => !item.owner || data.editor?.role === 'owner'));
+
+  // Close the slide-over after a nav tap on mobile (no-op on desktop where it's pinned open).
+  function closeDrawer(): void {
+    const toggle = document.getElementById('admin-drawer');
+    if (toggle instanceof HTMLInputElement) toggle.checked = false;
+  }
 </script>
 
+{#snippet contentIcon()}
+  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+      d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
+  </svg>
+{/snippet}
+
+{#snippet editorsIcon()}
+  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+      d="M17 20h5v-2a4 4 0 00-3-3.87M9 20H4v-2a4 4 0 013-3.87m6-1.13a4 4 0 10-4-4 4 4 0 004 4zm6 0a4 4 0 10-3.5-2.1" />
+  </svg>
+{/snippet}
+
 <svelte:head>
   <meta name="robots" content="noindex, nofollow" />
 </svelte:head>
 
-<div class="min-h-screen bg-base-200" data-pagefind-ignore>
-  <div class="mx-auto max-w-3xl px-4 py-8">
-    {@render children()}
+{#if data.editor}
+  <div class="drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
+    <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
+
+    <div class="drawer-content">
+      <!-- Mobile top bar — the desktop sidebar replaces this at lg. -->
+      <div class="navbar bg-base-100 lg:hidden">
+        <div class="flex-1">
+          <span class="px-2 text-xl font-bold">{data.siteName} CMS</span>
+        </div>
+        <div class="flex-none">
+          <label for="admin-drawer" class="btn btn-square btn-ghost" aria-label="Open menu">
+            <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h7" />
+            </svg>
+          </label>
+        </div>
+      </div>
+
+      <main class="container px-4 py-6 lg:px-8">
+        {@render children()}
+      </main>
+    </div>
+
+    <div class="drawer-side z-10">
+      <label for="admin-drawer" class="drawer-overlay" aria-label="Close menu"></label>
+      <div class="flex min-h-full w-80 flex-col bg-base-100 lg:border-r lg:border-base-300">
+        <ul class="menu menu-lg grow p-4">
+          <li class="menu-title flex flex-row items-center text-xl font-bold text-base-content">
+            <span class="grow">{data.siteName} CMS</span>
+            <label for="admin-drawer" class="ml-3 cursor-pointer lg:hidden" aria-label="Close menu">✕</label>
+          </li>
+          {#each visibleNav as item (item.href)}
+            <li>
+              <a href={item.href} class={item.active ? 'active' : ''} onclick={closeDrawer}>
+                {@render item.icon()}
+                {item.label}
+              </a>
+            </li>
+          {/each}
+        </ul>
+
+        <div class="border-t border-base-300 p-4">
+          <p class="text-sm font-medium">{data.editor.name}</p>
+          <p class="text-xs opacity-60">{data.editor.email}</p>
+          <form method="POST" action="/admin/auth/logout" class="mt-3">
+            <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">Sign out</button>
+          </form>
+        </div>
+      </div>
+    </div>
+  </div>
+{:else}
+  <!-- Signed out (login page): no nav, just a centered surface. -->
+  <div class="min-h-screen bg-base-200" data-pagefind-ignore>
+    <div class="mx-auto max-w-3xl px-4 py-8">
+      {@render children()}
+    </div>
   </div>
-</div>
+{/if}

package/dist/components/AdminLayout.svelte.d.ts

@@ -1,5 +1,11 @@
 import type { Snippet } from 'svelte';
+import type { Editor } from '../auth';
 type $$ComponentProps = {
+    data: {
+        siteName: string;
+        editor: Editor | null;
+        pathname: string;
+    };
     children: Snippet;
 };
 declare const AdminLayout: import("svelte").Component<$$ComponentProps, {}, "">;

package/dist/components/AdminLayout.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAErC,KAAK,gBAAgB,GAAI;IAAE,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC;AAsBhD,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}
+{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAWrC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACpE,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAyHJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/AdminList.svelte

@@ -1,25 +1,17 @@
 <script lang="ts">
   // The /admin content list: every collection's files, linking into the editor. Data comes
-  // from `adminListLoad` (collections) merged with `adminLayoutLoad` (editor, siteName).
-  import type { Editor } from '../auth';
+  // from `adminListLoad` (collections) merged with `adminLayoutLoad` (siteName). The shell
+  // (AdminLayout) owns the chrome — site title, signed-in identity, nav, sign out — so this
+  // page renders only the content body.
   import type { AdminCollectionList } from '../sveltekit';
 
   interface Props {
-    data: { siteName: string; editor: Editor | null; collections: AdminCollectionList[] };
+    data: { collections: AdminCollectionList[] };
   }
   let { data }: Props = $props();
 </script>
 
-<div class="flex items-center justify-between">
-  <h1 class="text-2xl font-bold">{data.siteName} CMS</h1>
-  <form method="POST" action="/admin/auth/logout">
-    <button type="submit" class="btn btn-ghost btn-sm">Sign out</button>
-  </form>
-</div>
-
-<p class="mt-2 text-sm opacity-70">
-  Signed in as {data.editor?.name} ({data.editor?.email})
-</p>
+<h1 class="text-2xl font-bold">Content</h1>
 
 {#each data.collections as collection (collection.type)}
   <section class="mt-8">

package/dist/components/AdminList.svelte.d.ts

@@ -1,9 +1,6 @@
-import type { Editor } from '../auth';
 import type { AdminCollectionList } from '../sveltekit';
 interface Props {
     data: {
-        siteName: string;
-        editor: Editor | null;
         collections: AdminCollectionList[];
     };
 }

package/dist/components/AdminList.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminList.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminList.svelte.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACtC,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAGtD,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,WAAW,EAAE,mBAAmB,EAAE,CAAA;KAAE,CAAC;CACvF;AA0CH,QAAA,MAAM,SAAS,2CAAwC,CAAC;AACxD,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;AAC9C,eAAe,SAAS,CAAC"}
+{"version":3,"file":"AdminList.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminList.svelte.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAGtD,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,WAAW,EAAE,mBAAmB,EAAE,CAAA;KAAE,CAAC;CAC9C;AAkCH,QAAA,MAAM,SAAS,2CAAwC,CAAC;AACxD,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;AAC9C,eAAe,SAAS,CAAC"}

package/dist/components/EditPage.svelte

@@ -73,14 +73,14 @@
             name={field.name}
             required={field.required}
             value={fmString(field.name)}
-            class="input input-bordered w-full"
+            class="input w-full"
           />
         </label>
       {:else if field.type === 'textarea'}
         <label class="flex flex-col gap-1">
           <span class="text-sm font-medium">{field.label}</span>
           <textarea name={field.name} required={field.required} rows={field.rows ?? 4}
-            class="textarea textarea-bordered w-full">{fmString(field.name)}</textarea>
+            class="textarea w-full">{fmString(field.name)}</textarea>
         </label>
       {:else if field.type === 'tags'}
         <div class="flex flex-col gap-1">
@@ -99,7 +99,7 @@
         <label class="flex flex-col gap-1">
           <span class="text-sm font-medium">{field.label}</span>
           <input type="text" name={field.name} value={fmFreeTags(field.name)}
-            placeholder={field.placeholder ?? 'comma, separated'} class="input input-bordered w-full" />
+            placeholder={field.placeholder ?? 'comma, separated'} class="input w-full" />
         </label>
       {:else if field.type === 'boolean'}
         <label class="flex items-center gap-2 text-sm font-medium">
@@ -115,7 +115,7 @@
     {#if mounted}
       <MarkdownEditor {carta} bind:value={body} mode="tabs" />
     {:else}
-      <textarea bind:value={body} rows="20" class="textarea textarea-bordered w-full font-mono"></textarea>
+      <textarea bind:value={body} rows="20" class="textarea w-full font-mono"></textarea>
     {/if}
   </div>
 

package/dist/components/LoginPage.svelte

@@ -39,7 +39,7 @@
         required
         autocomplete="email"
         placeholder="you@example.com"
-        class="input input-bordered w-full"
+        class="input w-full"
       />
       <button type="submit" class="btn btn-primary">Email me a sign-in link</button>
     </form>

package/dist/components/ManageAdmins.svelte

@@ -0,0 +1,84 @@
+<script lang="ts">
+  // Owner-gated editor management: list the allowlist, change roles, remove editors, add new
+  // ones. Reuses the same neutral DaisyUI chrome as the rest of the admin (panels, alerts,
+  // table, buttons). Data comes from `adminsLoad` merged with `adminLayoutLoad` (siteName);
+  // mutations post to the page's named form actions (`?/add`, `?/remove`, `?/setRole`).
+  import type { AdminsData } from '../sveltekit';
+
+  interface Props {
+    data: AdminsData & { siteName: string };
+  }
+  let { data }: Props = $props();
+</script>
+
+<svelte:head>
+  <title>Editors · {data.siteName} CMS</title>
+</svelte:head>
+
+<div>
+  <h1 class="text-2xl font-bold">Editors</h1>
+  <p class="text-sm opacity-60">Who can sign in to {data.siteName} CMS.</p>
+</div>
+
+{#if data.saved}
+  <div class="alert alert-success mt-6"><span>Allowlist updated.</span></div>
+{:else if data.error}
+  <div class="alert alert-error mt-6"><span>{data.error}</span></div>
+{/if}
+
+<div class="mt-6 overflow-x-auto rounded-box border border-base-300 bg-base-100">
+  <table class="table">
+    <thead>
+      <tr><th>Name</th><th>Email</th><th>Role</th><th class="text-right">Actions</th></tr>
+    </thead>
+    <tbody>
+      {#each data.admins as admin (admin.email)}
+        {@const isSelf = admin.email === data.self}
+        <tr>
+          <td class="font-medium">{admin.name}</td>
+          <td class="opacity-70">{admin.email}{#if isSelf}<span class="ml-1 opacity-50">(you)</span>{/if}</td>
+          <td>
+            <span class="badge {admin.role === 'owner' ? 'badge-primary' : 'badge-ghost'}">{admin.role}</span>
+          </td>
+          <td>
+            <div class="flex justify-end gap-2">
+              <!-- Flip role. Disabled for yourself so you can't demote the last owner out. -->
+              <form method="POST" action="?/setRole">
+                <input type="hidden" name="email" value={admin.email} />
+                <input type="hidden" name="role" value={admin.role === 'owner' ? 'editor' : 'owner'} />
+                <button type="submit" class="btn btn-ghost btn-xs" disabled={isSelf}>
+                  Make {admin.role === 'owner' ? 'editor' : 'owner'}
+                </button>
+              </form>
+              <form method="POST" action="?/remove">
+                <input type="hidden" name="email" value={admin.email} />
+                <button type="submit" class="btn btn-ghost btn-xs text-error" disabled={isSelf}>Remove</button>
+              </form>
+            </div>
+          </td>
+        </tr>
+      {/each}
+    </tbody>
+  </table>
+</div>
+
+<form method="POST" action="?/add"
+  class="mt-8 grid gap-4 rounded-box border border-base-300 bg-base-100 p-6 sm:grid-cols-[1fr_1fr_auto_auto] sm:items-end">
+  <label class="flex flex-col gap-1">
+    <span class="text-sm font-medium">Email</span>
+    <input type="email" name="email" required autocomplete="off" placeholder="you@example.com"
+      class="input w-full" />
+  </label>
+  <label class="flex flex-col gap-1">
+    <span class="text-sm font-medium">Name</span>
+    <input type="text" name="name" required placeholder="Display name" class="input w-full" />
+  </label>
+  <label class="flex flex-col gap-1">
+    <span class="text-sm font-medium">Role</span>
+    <select name="role" class="select">
+      <option value="editor">editor</option>
+      <option value="owner">owner</option>
+    </select>
+  </label>
+  <button type="submit" class="btn btn-primary">Add editor</button>
+</form>

package/dist/components/ManageAdmins.svelte.d.ts

@@ -0,0 +1,10 @@
+import type { AdminsData } from '../sveltekit';
+interface Props {
+    data: AdminsData & {
+        siteName: string;
+    };
+}
+declare const ManageAdmins: import("svelte").Component<Props, {}, "">;
+type ManageAdmins = ReturnType<typeof ManageAdmins>;
+export default ManageAdmins;
+//# sourceMappingURL=ManageAdmins.svelte.d.ts.map

package/dist/components/ManageAdmins.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ManageAdmins.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ManageAdmins.svelte.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG7C,UAAU,KAAK;IACb,IAAI,EAAE,UAAU,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CACzC;AAmFH,QAAA,MAAM,YAAY,2CAAwC,CAAC;AAC3D,KAAK,YAAY,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;AACpD,eAAe,YAAY,CAAC"}

package/dist/components/index.d.ts

@@ -2,4 +2,5 @@ export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
+export { default as ManageAdmins } from './ManageAdmins.svelte';
 //# sourceMappingURL=index.d.ts.map

package/dist/components/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/components/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/components/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/components/index.js

@@ -4,3 +4,4 @@ export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
+export { default as ManageAdmins } from './ManageAdmins.svelte';

package/dist/sveltekit/index.d.ts

@@ -24,15 +24,20 @@ interface PlatformEvent {
 export interface AdminLayoutData {
     editor: Editor | null;
     siteName: string;
+    pathname: string;
 }
 /**
  * Branding + session for every admin page. `siteName` flows from the adapter without pulling
  * its plugin graph into client bundles — the import stays server-side in the layout load.
+ * `pathname` lets the shared shell highlight the active nav item without a `$app/*` import
+ * (those kit virtual modules have no types outside a kit app, so they can't live in the
+ * package); reading `event.url` here also opts the layout load into rerunning on navigation.
  */
 export declare function adminLayoutLoad(event: {
     locals: {
         editor: Editor | null;
     };
+    url: URL;
 }, adapter: CairnAdapter): AdminLayoutData;
 export interface AdminCollectionList {
     type: string;
@@ -87,5 +92,31 @@ export declare function saveCommit(event: PlatformEvent & {
         editor: Editor | null;
     };
 }, adapter: CairnAdapter): Promise<never>;
+export interface AdminsData {
+    admins: Editor[];
+    /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
+    self: string;
+    saved: boolean;
+    error: string | null;
+}
+/** List the allowlist for the manage-admins page. Owner-only. */
+export declare function adminsLoad(event: PlatformEvent & {
+    locals: {
+        editor: Editor | null;
+    };
+    url: URL;
+}): Promise<AdminsData>;
+type AdminsActionEvent = PlatformEvent & {
+    request: Request;
+    locals: {
+        editor: Editor | null;
+    };
+};
+/** Add (or update) an allowlist entry. Owner-only. */
+export declare function addAdmin(event: AdminsActionEvent): Promise<never>;
+/** Remove an allowlist entry. Owner-only; owners can't remove themselves (anti-lockout). */
+export declare function removeAdmin(event: AdminsActionEvent): Promise<never>;
+/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
+export declare function setAdminRole(event: AdminsActionEvent): Promise<never>;
 export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/sveltekit/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAmB,KAAK,OAAO,EAAE,MAAM,eAAe,CAAC;AAC9D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAE7D,OAAO,EAOL,KAAK,MAAM,EACZ,MAAM,SAAS,CAAC;AACjB,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAwD,KAAK,QAAQ,EAAE,MAAM,WAAW,CAAC;AAEhG,OAAO,EAAuC,KAAK,YAAY,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAErG,4FAA4F;AAC5F,MAAM,WAAW,QAAQ;IACvB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,0BAA0B,CAAC,EAAE,MAAM,CAAC;CACrC;AAED,UAAU,aAAa;IACrB,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,QAAQ,CAAA;KAAE,CAAC;CAC/B;AAMD,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE;IAAE,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,EAC5C,OAAO,EAAE,YAAY,GACpB,eAAe,CAEjB;AAID,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,4FAA4F;AAC5F,wBAAsB,aAAa,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;IAAE,WAAW,EAAE,mBAAmB,EAAE,CAAA;CAAE,CAAC,CAY1G;AAID,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE;IAAE,GAAG,EAAE,GAAG,CAAA;CAAE,GAAG,SAAS,CAKxD;AAID,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAsB,QAAQ,CAC5B,KAAK,EAAE;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACzD,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,QAAQ,CAAC,CAyBnB;AAID,wBAAsB,WAAW,CAC/B,KAAK,EAAE,aAAa,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACrD,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,KAAK,CAAC,CA8BhB;AAID,wBAAsB,YAAY,CAChC,KAAK,EAAE,aAAa,GAAG;IAAE,GAAG,EAAE,GAAG,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,GACpD,OAAO,CAAC,KAAK,CAAC,CA4BhB;AAID,wBAAgB,MAAM,CAAC,KAAK,EAAE;IAAE,OAAO,EAAE,OAAO,CAAA;CAAE,GAAG,KAAK,CAGzD;AAID,wBAAsB,UAAU,CAC9B,KAAK,EAAE,aAAa,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,EAC9E,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,KAAK,CAAC,CA0ChB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAmB,KAAK,OAAO,EAAE,MAAM,eAAe,CAAC;AAC9D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAE7D,OAAO,EAUL,KAAK,MAAM,EAEZ,MAAM,SAAS,CAAC;AACjB,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAwD,KAAK,QAAQ,EAAE,MAAM,WAAW,CAAC;AAEhG,OAAO,EAAuC,KAAK,YAAY,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAErG,4FAA4F;AAC5F,MAAM,WAAW,QAAQ;IACvB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,0BAA0B,CAAC,EAAE,MAAM,CAAC;CACrC;AAED,UAAU,aAAa;IACrB,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,QAAQ,CAAA;KAAE,CAAC;CAC/B;AAMD,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE;IAAE,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACtD,OAAO,EAAE,YAAY,GACpB,eAAe,CAEjB;AAID,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,4FAA4F;AAC5F,wBAAsB,aAAa,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;IAAE,WAAW,EAAE,mBAAmB,EAAE,CAAA;CAAE,CAAC,CAY1G;AAID,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE;IAAE,GAAG,EAAE,GAAG,CAAA;CAAE,GAAG,SAAS,CAKxD;AAID,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAsB,QAAQ,CAC5B,KAAK,EAAE;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACzD,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,QAAQ,CAAC,CAyBnB;AAID,wBAAsB,WAAW,CAC/B,KAAK,EAAE,aAAa,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACrD,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,KAAK,CAAC,CA8BhB;AAID,wBAAsB,YAAY,CAChC,KAAK,EAAE,aAAa,GAAG;IAAE,GAAG,EAAE,GAAG,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,GACpD,OAAO,CAAC,KAAK,CAAC,CA4BhB;AAID,wBAAgB,MAAM,CAAC,KAAK,EAAE;IAAE,OAAO,EAAE,OAAO,CAAA;CAAE,GAAG,KAAK,CAGzD;AAID,wBAAsB,UAAU,CAC9B,KAAK,EAAE,aAAa,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,EAC9E,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,KAAK,CAAC,CA0ChB;AAsBD,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,+EAA+E;IAC/E,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,iEAAiE;AACjE,wBAAsB,UAAU,CAC9B,KAAK,EAAE,aAAa,GAAG;IAAE,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,GACrE,OAAO,CAAC,UAAU,CAAC,CASrB;AAED,KAAK,iBAAiB,GAAG,aAAa,GAAG;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;CACnC,CAAC;AAMF,sDAAsD;AACtD,wBAAsB,QAAQ,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,CAWvE;AAED,4FAA4F;AAC5F,wBAAsB,WAAW,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,CAU1E;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,CAe3E"}

package/dist/sveltekit/index.js

@@ -9,7 +9,7 @@
 // thrown objects share class identity with the host's runtime (else the redirect 500s).
 import { redirect, error } from '@sveltejs/kit';
 import matter from 'gray-matter';
-import { createMagicLink, redeemMagicToken, createSession, lookupEditor, SESSION_COOKIE, SESSION_MAX_AGE, } from '../auth';
+import { createMagicLink, redeemMagicToken, createSession, lookupEditor, listEditors, setEditor, removeEditor, SESSION_COOKIE, SESSION_MAX_AGE, } from '../auth';
 import { sendMagicLink } from '../email';
 import { listMarkdown, readRaw, commitFile, installationToken } from '../github';
 import { serializeMarkdown } from '../content';
@@ -18,9 +18,12 @@ const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
 /**
  * Branding + session for every admin page. `siteName` flows from the adapter without pulling
  * its plugin graph into client bundles — the import stays server-side in the layout load.
+ * `pathname` lets the shared shell highlight the active nav item without a `$app/*` import
+ * (those kit virtual modules have no types outside a kit app, so they can't live in the
+ * package); reading `event.url` here also opts the layout load into rerunning on navigation.
  */
 export function adminLayoutLoad(event, adapter) {
-    return { editor: event.locals.editor, siteName: adapter.siteName };
+    return { editor: event.locals.editor, siteName: adapter.siteName, pathname: event.url.pathname };
 }
 /** List every collection's markdown files. A failed listing degrades to an inline error. */
 export async function adminListLoad(adapter) {
@@ -161,3 +164,79 @@ export async function saveCommit(event, adapter) {
     await commitFile(adapter.backend, `${collection.dir}/${id}.md`, markdown, { message: `Update ${collection.label.toLowerCase()}: ${id}`, author: { name: editor.name, email: editor.email } }, token);
     throw redirect(303, `/admin/edit/${type}/${id}?saved=1`);
 }
+// ── /admin/admins (owner-gated editor management) ────────────────────────────
+/**
+ * The privilege-escalation gate for the manage-admins surface: only `owner`s may load it or
+ * run its actions. Returns the acting owner (so callers can guard self-targeted mutations).
+ */
+function requireOwner(event) {
+    const editor = event.locals.editor;
+    if (!editor)
+        throw error(401, 'Not signed in');
+    if (editor.role !== 'owner')
+        throw error(403, 'Owner access required');
+    return editor;
+}
+/** Resolve AUTH_KV or fail loudly — the management surface is useless without it. */
+function ownerKv(event) {
+    const kv = event.platform?.env?.AUTH_KV;
+    if (!kv)
+        throw error(500, 'Editor allowlist is not configured');
+    return kv;
+}
+/** List the allowlist for the manage-admins page. Owner-only. */
+export async function adminsLoad(event) {
+    const owner = requireOwner(event);
+    const admins = await listEditors(ownerKv(event));
+    return {
+        admins,
+        self: owner.email,
+        saved: event.url.searchParams.get('saved') === '1',
+        error: event.url.searchParams.get('error'),
+    };
+}
+function parseRole(value) {
+    return value === 'owner' ? 'owner' : 'editor';
+}
+/** Add (or update) an allowlist entry. Owner-only. */
+export async function addAdmin(event) {
+    requireOwner(event);
+    const kv = ownerKv(event);
+    const form = await event.request.formData();
+    const email = String(form.get('email') ?? '').trim().toLowerCase();
+    const name = String(form.get('name') ?? '').trim();
+    if (!EMAIL_RE.test(email) || !name) {
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
+    }
+    await setEditor(email, name, parseRole(form.get('role')), kv);
+    throw redirect(303, '/admin/admins?saved=1');
+}
+/** Remove an allowlist entry. Owner-only; owners can't remove themselves (anti-lockout). */
+export async function removeAdmin(event) {
+    const owner = requireOwner(event);
+    const kv = ownerKv(event);
+    const form = await event.request.formData();
+    const email = String(form.get('email') ?? '').trim().toLowerCase();
+    if (email === owner.email) {
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
+    }
+    await removeEditor(email, kv);
+    throw redirect(303, '/admin/admins?saved=1');
+}
+/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
+export async function setAdminRole(event) {
+    const owner = requireOwner(event);
+    const kv = ownerKv(event);
+    const form = await event.request.formData();
+    const email = String(form.get('email') ?? '').trim().toLowerCase();
+    const role = parseRole(form.get('role'));
+    if (email === owner.email && role !== 'owner') {
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
+    }
+    const existing = await lookupEditor(email, kv);
+    if (!existing) {
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
+    }
+    await setEditor(email, existing.name, role, kv);
+    throw redirect(303, '/admin/admins?saved=1');
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "license": "MIT",

package/src/lib/auth.ts

@@ -7,9 +7,13 @@
 import type { KVNamespace } from '@cloudflare/workers-types';
 import { bytesToB64url } from './utils';
 
+/** Two-tier, per-site role. `owner`s manage the editor allowlist; `editor`s only edit content. */
+export type Role = 'owner' | 'editor';
+
 export interface Editor {
   email: string;
   name: string;
+  role: Role;
 }
 
 export const SESSION_COOKIE = 'cairn_session';
@@ -118,13 +122,64 @@ export async function createSession(editor: Editor, secret: string): Promise<str
 export async function verifySession(token: string, secret: string): Promise<Editor | null> {
   const payload = await verifyToken<SessionPayload>(token, secret);
   if (!payload || Date.now() > payload.exp) return null;
-  return { email: payload.email, name: payload.name };
+  // Sessions signed before roles existed carry no `role` — treat them as plain editors.
+  return { email: payload.email, name: payload.name, role: payload.role ?? 'editor' };
+}
+
+const KEY_PREFIX = 'editor:';
+
+/**
+ * Decode a stored allowlist value into name + role. Current entries are JSON
+ * (`{"name","role"}`); legacy entries are a bare display-name string, read as `editor`
+ * so the allowlist migrates lazily — re-saving an entry upgrades it to the JSON shape.
+ */
+function parseEditorValue(raw: string): { name: string; role: Role } {
+  try {
+    const parsed = JSON.parse(raw) as { name?: unknown; role?: unknown };
+    if (parsed && typeof parsed.name === 'string') {
+      return { name: parsed.name, role: parsed.role === 'owner' ? 'owner' : 'editor' };
+    }
+  } catch {
+    // Not JSON — legacy bare display-name; treat as editor.
+  }
+  return { name: raw, role: 'editor' };
+}
+
+function serializeEditorValue(name: string, role: Role): string {
+  return JSON.stringify({ name, role });
 }
 
-/** Look up an editor in the KV allowlist (`editor:<email>` → display name). */
+/** Look up an editor in the KV allowlist (`editor:<email>` → `{name, role}`). */
 export async function lookupEditor(email: string, kv: KVNamespace): Promise<Editor | null> {
   const normalized = email.trim().toLowerCase();
-  const name = await kv.get(`editor:${normalized}`);
-  if (name === null) return null;
-  return { email: normalized, name };
+  const raw = await kv.get(`${KEY_PREFIX}${normalized}`);
+  if (raw === null) return null;
+  return { email: normalized, ...parseEditorValue(raw) };
+}
+
+/** Every allowlisted editor, sorted by email — the manage-admins list. */
+export async function listEditors(kv: KVNamespace): Promise<Editor[]> {
+  const { keys } = await kv.list({ prefix: KEY_PREFIX });
+  const editors = await Promise.all(
+    keys.map(async ({ name: key }): Promise<Editor> => {
+      const raw = (await kv.get(key)) ?? '';
+      return { email: key.slice(KEY_PREFIX.length), ...parseEditorValue(raw) };
+    }),
+  );
+  return editors.sort((a, b) => a.email.localeCompare(b.email));
+}
+
+/** Add or update an allowlist entry (JSON value). Email is normalized. */
+export async function setEditor(
+  email: string,
+  name: string,
+  role: Role,
+  kv: KVNamespace,
+): Promise<void> {
+  await kv.put(`${KEY_PREFIX}${email.trim().toLowerCase()}`, serializeEditorValue(name, role));
+}
+
+/** Remove an allowlist entry. */
+export async function removeEditor(email: string, kv: KVNamespace): Promise<void> {
+  await kv.delete(`${KEY_PREFIX}${email.trim().toLowerCase()}`);
 }

package/src/lib/components/AdminLayout.svelte

@@ -1,18 +1,130 @@
 <script lang="ts">
-  // Neutral admin chrome — robots noindex + a centered container, scoped to /admin. Shared
-  // across sites so the admin tool looks identical everywhere (only siteName, supplied by
-  // pages, varies). Each site's `admin/+layout.svelte` is a one-line shim around this.
+  // Neutral admin chrome, shared across sites so the tool looks identical everywhere (only the
+  // adapter's siteName varies). When signed in it's a responsive DaisyUI drawer+navbar shell
+  // (`drawer lg:drawer-open` — sidebar pinned on desktop, slide-over + hamburger on mobile),
+  // patterned on scosman/CMSaasStarter's `(admin)/(menu)` layout. The nav is data-driven and
+  // role-gated, so a new surface is one entry in `nav` (plus its route + component). Signed out
+  // (the login page lives under this layout) it falls back to a minimal centered shell.
+  // Each site's `admin/+layout.svelte` is a one-line shim that forwards `data` + `children`.
   import type { Snippet } from 'svelte';
+  import type { Editor } from '../auth';
 
-  let { children }: { children: Snippet } = $props();
+  let {
+    data,
+    children,
+  }: {
+    data: { siteName: string; editor: Editor | null; pathname: string };
+    children: Snippet;
+  } = $props();
+
+  interface NavItem {
+    href: string;
+    label: string;
+    icon: Snippet;
+    active: boolean;
+    /** Owner-only surface — hidden from regular editors. */
+    owner?: boolean;
+  }
+
+  const nav = $derived<NavItem[]>([
+    {
+      href: '/admin',
+      label: 'Content',
+      icon: contentIcon,
+      active: data.pathname === '/admin' || data.pathname.startsWith('/admin/edit'),
+    },
+    {
+      href: '/admin/admins',
+      label: 'Editors',
+      icon: editorsIcon,
+      owner: true,
+      active: data.pathname.startsWith('/admin/admins'),
+    },
+  ]);
+  const visibleNav = $derived(nav.filter((item) => !item.owner || data.editor?.role === 'owner'));
+
+  // Close the slide-over after a nav tap on mobile (no-op on desktop where it's pinned open).
+  function closeDrawer(): void {
+    const toggle = document.getElementById('admin-drawer');
+    if (toggle instanceof HTMLInputElement) toggle.checked = false;
+  }
 </script>
 
+{#snippet contentIcon()}
+  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+      d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
+  </svg>
+{/snippet}
+
+{#snippet editorsIcon()}
+  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+      d="M17 20h5v-2a4 4 0 00-3-3.87M9 20H4v-2a4 4 0 013-3.87m6-1.13a4 4 0 10-4-4 4 4 0 004 4zm6 0a4 4 0 10-3.5-2.1" />
+  </svg>
+{/snippet}
+
 <svelte:head>
   <meta name="robots" content="noindex, nofollow" />
 </svelte:head>
 
-<div class="min-h-screen bg-base-200" data-pagefind-ignore>
-  <div class="mx-auto max-w-3xl px-4 py-8">
-    {@render children()}
+{#if data.editor}
+  <div class="drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
+    <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
+
+    <div class="drawer-content">
+      <!-- Mobile top bar — the desktop sidebar replaces this at lg. -->
+      <div class="navbar bg-base-100 lg:hidden">
+        <div class="flex-1">
+          <span class="px-2 text-xl font-bold">{data.siteName} CMS</span>
+        </div>
+        <div class="flex-none">
+          <label for="admin-drawer" class="btn btn-square btn-ghost" aria-label="Open menu">
+            <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h7" />
+            </svg>
+          </label>
+        </div>
+      </div>
+
+      <main class="container px-4 py-6 lg:px-8">
+        {@render children()}
+      </main>
+    </div>
+
+    <div class="drawer-side z-10">
+      <label for="admin-drawer" class="drawer-overlay" aria-label="Close menu"></label>
+      <div class="flex min-h-full w-80 flex-col bg-base-100 lg:border-r lg:border-base-300">
+        <ul class="menu menu-lg grow p-4">
+          <li class="menu-title flex flex-row items-center text-xl font-bold text-base-content">
+            <span class="grow">{data.siteName} CMS</span>
+            <label for="admin-drawer" class="ml-3 cursor-pointer lg:hidden" aria-label="Close menu">✕</label>
+          </li>
+          {#each visibleNav as item (item.href)}
+            <li>
+              <a href={item.href} class={item.active ? 'active' : ''} onclick={closeDrawer}>
+                {@render item.icon()}
+                {item.label}
+              </a>
+            </li>
+          {/each}
+        </ul>
+
+        <div class="border-t border-base-300 p-4">
+          <p class="text-sm font-medium">{data.editor.name}</p>
+          <p class="text-xs opacity-60">{data.editor.email}</p>
+          <form method="POST" action="/admin/auth/logout" class="mt-3">
+            <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">Sign out</button>
+          </form>
+        </div>
+      </div>
+    </div>
+  </div>
+{:else}
+  <!-- Signed out (login page): no nav, just a centered surface. -->
+  <div class="min-h-screen bg-base-200" data-pagefind-ignore>
+    <div class="mx-auto max-w-3xl px-4 py-8">
+      {@render children()}
+    </div>
   </div>
-</div>
+{/if}

package/src/lib/components/AdminList.svelte

@@ -1,25 +1,17 @@
 <script lang="ts">
   // The /admin content list: every collection's files, linking into the editor. Data comes
-  // from `adminListLoad` (collections) merged with `adminLayoutLoad` (editor, siteName).
-  import type { Editor } from '../auth';
+  // from `adminListLoad` (collections) merged with `adminLayoutLoad` (siteName). The shell
+  // (AdminLayout) owns the chrome — site title, signed-in identity, nav, sign out — so this
+  // page renders only the content body.
   import type { AdminCollectionList } from '../sveltekit';
 
   interface Props {
-    data: { siteName: string; editor: Editor | null; collections: AdminCollectionList[] };
+    data: { collections: AdminCollectionList[] };
   }
   let { data }: Props = $props();
 </script>
 
-<div class="flex items-center justify-between">
-  <h1 class="text-2xl font-bold">{data.siteName} CMS</h1>
-  <form method="POST" action="/admin/auth/logout">
-    <button type="submit" class="btn btn-ghost btn-sm">Sign out</button>
-  </form>
-</div>
-
-<p class="mt-2 text-sm opacity-70">
-  Signed in as {data.editor?.name} ({data.editor?.email})
-</p>
+<h1 class="text-2xl font-bold">Content</h1>
 
 {#each data.collections as collection (collection.type)}
   <section class="mt-8">

package/src/lib/components/EditPage.svelte

@@ -73,14 +73,14 @@
             name={field.name}
             required={field.required}
             value={fmString(field.name)}
-            class="input input-bordered w-full"
+            class="input w-full"
           />
         </label>
       {:else if field.type === 'textarea'}
         <label class="flex flex-col gap-1">
           <span class="text-sm font-medium">{field.label}</span>
           <textarea name={field.name} required={field.required} rows={field.rows ?? 4}
-            class="textarea textarea-bordered w-full">{fmString(field.name)}</textarea>
+            class="textarea w-full">{fmString(field.name)}</textarea>
         </label>
       {:else if field.type === 'tags'}
         <div class="flex flex-col gap-1">
@@ -99,7 +99,7 @@
         <label class="flex flex-col gap-1">
           <span class="text-sm font-medium">{field.label}</span>
           <input type="text" name={field.name} value={fmFreeTags(field.name)}
-            placeholder={field.placeholder ?? 'comma, separated'} class="input input-bordered w-full" />
+            placeholder={field.placeholder ?? 'comma, separated'} class="input w-full" />
         </label>
       {:else if field.type === 'boolean'}
         <label class="flex items-center gap-2 text-sm font-medium">
@@ -115,7 +115,7 @@
     {#if mounted}
       <MarkdownEditor {carta} bind:value={body} mode="tabs" />
     {:else}
-      <textarea bind:value={body} rows="20" class="textarea textarea-bordered w-full font-mono"></textarea>
+      <textarea bind:value={body} rows="20" class="textarea w-full font-mono"></textarea>
     {/if}
   </div>
 

package/src/lib/components/LoginPage.svelte

@@ -39,7 +39,7 @@
         required
         autocomplete="email"
         placeholder="you@example.com"
-        class="input input-bordered w-full"
+        class="input w-full"
       />
       <button type="submit" class="btn btn-primary">Email me a sign-in link</button>
     </form>

package/src/lib/components/ManageAdmins.svelte

@@ -0,0 +1,84 @@
+<script lang="ts">
+  // Owner-gated editor management: list the allowlist, change roles, remove editors, add new
+  // ones. Reuses the same neutral DaisyUI chrome as the rest of the admin (panels, alerts,
+  // table, buttons). Data comes from `adminsLoad` merged with `adminLayoutLoad` (siteName);
+  // mutations post to the page's named form actions (`?/add`, `?/remove`, `?/setRole`).
+  import type { AdminsData } from '../sveltekit';
+
+  interface Props {
+    data: AdminsData & { siteName: string };
+  }
+  let { data }: Props = $props();
+</script>
+
+<svelte:head>
+  <title>Editors · {data.siteName} CMS</title>
+</svelte:head>
+
+<div>
+  <h1 class="text-2xl font-bold">Editors</h1>
+  <p class="text-sm opacity-60">Who can sign in to {data.siteName} CMS.</p>
+</div>
+
+{#if data.saved}
+  <div class="alert alert-success mt-6"><span>Allowlist updated.</span></div>
+{:else if data.error}
+  <div class="alert alert-error mt-6"><span>{data.error}</span></div>
+{/if}
+
+<div class="mt-6 overflow-x-auto rounded-box border border-base-300 bg-base-100">
+  <table class="table">
+    <thead>
+      <tr><th>Name</th><th>Email</th><th>Role</th><th class="text-right">Actions</th></tr>
+    </thead>
+    <tbody>
+      {#each data.admins as admin (admin.email)}
+        {@const isSelf = admin.email === data.self}
+        <tr>
+          <td class="font-medium">{admin.name}</td>
+          <td class="opacity-70">{admin.email}{#if isSelf}<span class="ml-1 opacity-50">(you)</span>{/if}</td>
+          <td>
+            <span class="badge {admin.role === 'owner' ? 'badge-primary' : 'badge-ghost'}">{admin.role}</span>
+          </td>
+          <td>
+            <div class="flex justify-end gap-2">
+              <!-- Flip role. Disabled for yourself so you can't demote the last owner out. -->
+              <form method="POST" action="?/setRole">
+                <input type="hidden" name="email" value={admin.email} />
+                <input type="hidden" name="role" value={admin.role === 'owner' ? 'editor' : 'owner'} />
+                <button type="submit" class="btn btn-ghost btn-xs" disabled={isSelf}>
+                  Make {admin.role === 'owner' ? 'editor' : 'owner'}
+                </button>
+              </form>
+              <form method="POST" action="?/remove">
+                <input type="hidden" name="email" value={admin.email} />
+                <button type="submit" class="btn btn-ghost btn-xs text-error" disabled={isSelf}>Remove</button>
+              </form>
+            </div>
+          </td>
+        </tr>
+      {/each}
+    </tbody>
+  </table>
+</div>
+
+<form method="POST" action="?/add"
+  class="mt-8 grid gap-4 rounded-box border border-base-300 bg-base-100 p-6 sm:grid-cols-[1fr_1fr_auto_auto] sm:items-end">
+  <label class="flex flex-col gap-1">
+    <span class="text-sm font-medium">Email</span>
+    <input type="email" name="email" required autocomplete="off" placeholder="you@example.com"
+      class="input w-full" />
+  </label>
+  <label class="flex flex-col gap-1">
+    <span class="text-sm font-medium">Name</span>
+    <input type="text" name="name" required placeholder="Display name" class="input w-full" />
+  </label>
+  <label class="flex flex-col gap-1">
+    <span class="text-sm font-medium">Role</span>
+    <select name="role" class="select">
+      <option value="editor">editor</option>
+      <option value="owner">owner</option>
+    </select>
+  </label>
+  <button type="submit" class="btn btn-primary">Add editor</button>
+</form>

package/src/lib/components/index.ts

@@ -4,3 +4,4 @@ export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
+export { default as ManageAdmins } from './ManageAdmins.svelte';

package/src/lib/sveltekit/index.ts

@@ -15,9 +15,13 @@ import {
   redeemMagicToken,
   createSession,
   lookupEditor,
+  listEditors,
+  setEditor,
+  removeEditor,
   SESSION_COOKIE,
   SESSION_MAX_AGE,
   type Editor,
+  type Role,
 } from '../auth';
 import { sendMagicLink, type EmailSender } from '../email';
 import { listMarkdown, readRaw, commitFile, installationToken, type RepoFile } from '../github';
@@ -48,17 +52,21 @@ const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
 export interface AdminLayoutData {
   editor: Editor | null;
   siteName: string;
+  pathname: string;
 }
 
 /**
  * Branding + session for every admin page. `siteName` flows from the adapter without pulling
  * its plugin graph into client bundles — the import stays server-side in the layout load.
+ * `pathname` lets the shared shell highlight the active nav item without a `$app/*` import
+ * (those kit virtual modules have no types outside a kit app, so they can't live in the
+ * package); reading `event.url` here also opts the layout load into rerunning on navigation.
  */
 export function adminLayoutLoad(
-  event: { locals: { editor: Editor | null } },
+  event: { locals: { editor: Editor | null }; url: URL },
   adapter: CairnAdapter,
 ): AdminLayoutData {
-  return { editor: event.locals.editor, siteName: adapter.siteName };
+  return { editor: event.locals.editor, siteName: adapter.siteName, pathname: event.url.pathname };
 }
 
 // ── /admin (content list) ────────────────────────────────────────────────────
@@ -270,3 +278,99 @@ export async function saveCommit(
 
   throw redirect(303, `/admin/edit/${type}/${id}?saved=1`);
 }
+
+// ── /admin/admins (owner-gated editor management) ────────────────────────────
+
+/**
+ * The privilege-escalation gate for the manage-admins surface: only `owner`s may load it or
+ * run its actions. Returns the acting owner (so callers can guard self-targeted mutations).
+ */
+function requireOwner(event: { locals: { editor: Editor | null } }): Editor {
+  const editor = event.locals.editor;
+  if (!editor) throw error(401, 'Not signed in');
+  if (editor.role !== 'owner') throw error(403, 'Owner access required');
+  return editor;
+}
+
+/** Resolve AUTH_KV or fail loudly — the management surface is useless without it. */
+function ownerKv(event: PlatformEvent): KVNamespace {
+  const kv = event.platform?.env?.AUTH_KV;
+  if (!kv) throw error(500, 'Editor allowlist is not configured');
+  return kv;
+}
+
+export interface AdminsData {
+  admins: Editor[];
+  /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
+  self: string;
+  saved: boolean;
+  error: string | null;
+}
+
+/** List the allowlist for the manage-admins page. Owner-only. */
+export async function adminsLoad(
+  event: PlatformEvent & { locals: { editor: Editor | null }; url: URL },
+): Promise<AdminsData> {
+  const owner = requireOwner(event);
+  const admins = await listEditors(ownerKv(event));
+  return {
+    admins,
+    self: owner.email,
+    saved: event.url.searchParams.get('saved') === '1',
+    error: event.url.searchParams.get('error'),
+  };
+}
+
+type AdminsActionEvent = PlatformEvent & {
+  request: Request;
+  locals: { editor: Editor | null };
+};
+
+function parseRole(value: unknown): Role {
+  return value === 'owner' ? 'owner' : 'editor';
+}
+
+/** Add (or update) an allowlist entry. Owner-only. */
+export async function addAdmin(event: AdminsActionEvent): Promise<never> {
+  requireOwner(event);
+  const kv = ownerKv(event);
+  const form = await event.request.formData();
+  const email = String(form.get('email') ?? '').trim().toLowerCase();
+  const name = String(form.get('name') ?? '').trim();
+  if (!EMAIL_RE.test(email) || !name) {
+    throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
+  }
+  await setEditor(email, name, parseRole(form.get('role')), kv);
+  throw redirect(303, '/admin/admins?saved=1');
+}
+
+/** Remove an allowlist entry. Owner-only; owners can't remove themselves (anti-lockout). */
+export async function removeAdmin(event: AdminsActionEvent): Promise<never> {
+  const owner = requireOwner(event);
+  const kv = ownerKv(event);
+  const form = await event.request.formData();
+  const email = String(form.get('email') ?? '').trim().toLowerCase();
+  if (email === owner.email) {
+    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
+  }
+  await removeEditor(email, kv);
+  throw redirect(303, '/admin/admins?saved=1');
+}
+
+/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
+export async function setAdminRole(event: AdminsActionEvent): Promise<never> {
+  const owner = requireOwner(event);
+  const kv = ownerKv(event);
+  const form = await event.request.formData();
+  const email = String(form.get('email') ?? '').trim().toLowerCase();
+  const role = parseRole(form.get('role'));
+  if (email === owner.email && role !== 'owner') {
+    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
+  }
+  const existing = await lookupEditor(email, kv);
+  if (!existing) {
+    throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
+  }
+  await setEditor(email, existing.name, role, kv);
+  throw redirect(303, '/admin/admins?saved=1');
+}