@glw907/cairn-cms 0.11.0 → 0.17.0

package/dist/auth/crypto.d.ts

@@ -1,9 +1,15 @@
-/** The session cookie name. */
-export declare const COOKIE_NAME = "cairn_session";
+/**
+ * The session cookie name. On https the cookie is Secure and takes the __Host- prefix, which
+ * binds it to the origin (the browser enforces Secure, Path=/, and no Domain). On local http
+ * dev the prefix is dropped, since __Host- requires Secure and the dev cookie cannot set it.
+ */
+export declare function sessionCookieName(secure: boolean): string;
 /** Magic-link tokens live 10 minutes. */
 export declare const TOKEN_TTL_MS: number;
 /** Sessions live 30 days. */
 export declare const SESSION_TTL_MS: number;
+/** A magic link is sent at most once per email per minute, to throttle inbox flooding. */
+export declare const SEND_COOLDOWN_MS: number;
 /** A fresh 256-bit magic-link token, url-safe. */
 export declare function generateToken(): string;
 /** A fresh 256-bit session id, url-safe. */

package/dist/auth/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/lib/auth/crypto.ts"],"names":[],"mappings":"AAIA,+BAA+B;AAC/B,eAAO,MAAM,WAAW,kBAAkB,CAAC;AAE3C,yCAAyC;AACzC,eAAO,MAAM,YAAY,QAAiB,CAAC;AAE3C,6BAA6B;AAC7B,eAAO,MAAM,cAAc,QAA2B,CAAC;AAUvD,kDAAkD;AAClD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,4CAA4C;AAC5C,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,oEAAoE;AACpE,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI9D"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/lib/auth/crypto.ts"],"names":[],"mappings":"AAOA;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,CAEzD;AAED,yCAAyC;AACzC,eAAO,MAAM,YAAY,QAAiB,CAAC;AAE3C,6BAA6B;AAC7B,eAAO,MAAM,cAAc,QAA2B,CAAC;AAEvD,0FAA0F;AAC1F,eAAO,MAAM,gBAAgB,QAAY,CAAC;AAU1C,kDAAkD;AAClD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,4CAA4C;AAC5C,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,oEAAoE;AACpE,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI9D"}

package/dist/auth/crypto.js

@@ -1,12 +1,22 @@
 // Token and session-id generation plus SHA-256 token hashing, on Web Crypto so the
 // code runs unchanged in workerd. The store keeps only the hash of a token, never the
 // token itself (spec 7.1).
-/** The session cookie name. */
-export const COOKIE_NAME = 'cairn_session';
+/** The base session cookie name, prefixed with __Host- when the cookie is Secure. */
+const COOKIE_BASE = 'cairn_session';
+/**
+ * The session cookie name. On https the cookie is Secure and takes the __Host- prefix, which
+ * binds it to the origin (the browser enforces Secure, Path=/, and no Domain). On local http
+ * dev the prefix is dropped, since __Host- requires Secure and the dev cookie cannot set it.
+ */
+export function sessionCookieName(secure) {
+    return secure ? `__Host-${COOKIE_BASE}` : COOKIE_BASE;
+}
 /** Magic-link tokens live 10 minutes. */
 export const TOKEN_TTL_MS = 10 * 60 * 1000;
 /** Sessions live 30 days. */
 export const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000;
+/** A magic link is sent at most once per email per minute, to throttle inbox flooding. */
+export const SEND_COOLDOWN_MS = 60 * 1000;
 function randomBase64Url(byteLength = 32) {
     const bytes = new Uint8Array(byteLength);
     crypto.getRandomValues(bytes);

package/dist/auth/store.d.ts

@@ -4,6 +4,8 @@ import type { Editor, Role } from './types.js';
 export declare function findEditor(db: D1Database, email: string): Promise<Editor | null>;
 /** Replace any prior token for this email with a fresh one, atomically. */
 export declare function issueToken(db: D1Database, email: string, tokenHash: string, expiresAt: number, now: number): Promise<void>;
+/** True when a magic-link token for this email was issued at or after `since`, for the send cooldown. */
+export declare function recentlyIssued(db: D1Database, email: string, since: number): Promise<boolean>;
 /**
  * Consume a token in one atomic statement. A returned email means the token was present and
  * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.

package/dist/auth/store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/lib/auth/store.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAQ/C,yCAAyC;AACzC,wBAAsB,UAAU,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMtF;AAED,2EAA2E;AAC3E,wBAAsB,UAAU,CAC9B,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMzG;AAED,4BAA4B;AAC5B,wBAAsB,aAAa,CACjC,EAAE,EAAE,UAAU,EACd,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAKf;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAUpG;AAED,iCAAiC;AACjC,wBAAsB,aAAa,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE7E;AAED,2CAA2C;AAC3C,wBAAsB,WAAW,CAAC,EAAE,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAKnE;AAED,sCAAsC;AACtC,wBAAsB,YAAY,CAChC,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAM/E;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAe1F;AAED,iFAAiF;AACjF,wBAAsB,aAAa,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAE5F;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAU1F"}
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/lib/auth/store.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAQ/C,yCAAyC;AACzC,wBAAsB,UAAU,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMtF;AAED,2EAA2E;AAC3E,wBAAsB,UAAU,CAC9B,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,yGAAyG;AACzG,wBAAsB,cAAc,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMnG;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMzG;AAED,4BAA4B;AAC5B,wBAAsB,aAAa,CACjC,EAAE,EAAE,UAAU,EACd,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAQf;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAUpG;AAED,iCAAiC;AACjC,wBAAsB,aAAa,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE7E;AAED,2CAA2C;AAC3C,wBAAsB,WAAW,CAAC,EAAE,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAKnE;AAED,sCAAsC;AACtC,wBAAsB,YAAY,CAChC,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAM/E;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAe1F;AAED,iFAAiF;AACjF,wBAAsB,aAAa,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAE5F;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAU1F"}

package/dist/auth/store.js

@@ -12,12 +12,21 @@ export async function findEditor(db, email) {
 /** Replace any prior token for this email with a fresh one, atomically. */
 export async function issueToken(db, email, tokenHash, expiresAt, now) {
     await db.batch([
-        db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+        // Replace this email's prior token, and sweep any expired token while here (no cron needed).
+        db.prepare('DELETE FROM magic_token WHERE email = ? OR expires_at <= ?').bind(email, now),
         db
             .prepare('INSERT INTO magic_token (token_hash, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
             .bind(tokenHash, email, expiresAt, now),
     ]);
 }
+/** True when a magic-link token for this email was issued at or after `since`, for the send cooldown. */
+export async function recentlyIssued(db, email, since) {
+    const row = await db
+        .prepare('SELECT 1 AS one FROM magic_token WHERE email = ? AND created_at >= ? LIMIT 1')
+        .bind(email, since)
+        .first();
+    return row != null;
+}
 /**
  * Consume a token in one atomic statement. A returned email means the token was present and
  * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.
@@ -31,10 +40,13 @@ export async function consumeToken(db, tokenHash, now) {
 }
 /** Create a session row. */
 export async function createSession(db, id, email, expiresAt, now) {
-    await db
-        .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
-        .bind(id, email, expiresAt, now)
-        .run();
+    await db.batch([
+        // Sweep expired sessions on login, so abandoned rows do not accumulate (no cron needed).
+        db.prepare('DELETE FROM session WHERE expires_at <= ?').bind(now),
+        db
+            .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
+            .bind(id, email, expiresAt, now),
+    ]);
 }
 /**
  * Resolve a session to its editor, joining `editor` so the role is read live. An expired

package/dist/components/ComponentForm.svelte

@@ -38,6 +38,32 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
     return Array.isArray(v) ? v : [];
   }
 
+  // Stable per-item ids run parallel to each repeatable slot's value array, so the {#each} keys by
+  // identity instead of index. A mid-list removal then drops the right DOM node and the focused
+  // item follows the data. Ids come from a monotonic module-local counter, never Math.random or
+  // Date.now. The value arrays in values.slots stay the canonical string lists serializeComponent
+  // reads, so the emitted markdown is unchanged. emptyValues seeds every repeatable slot to [], so
+  // the id lists start empty and stay in lockstep with the values through addItem/removeItem.
+  let nextId = 0;
+  const itemIds = $state<Record<string, number[]>>(
+    untrack(() => Object.fromEntries((def.slots ?? []).filter((s) => s.kind === 'repeatable').map((s) => [s.name, []]))),
+  );
+
+  // emptyValues and the itemIds seed both cover every repeatable slot, so this read always hits.
+  function slotIds(name: string): number[] {
+    return itemIds[name] ?? [];
+  }
+
+  function addItem(name: string): void {
+    slotItems(name).push('');
+    slotIds(name).push(nextId++);
+  }
+
+  function removeItem(name: string, index: number): void {
+    slotItems(name).splice(index, 1);
+    slotIds(name).splice(index, 1);
+  }
+
   // Typed accessors over the unions so explicit value targets stay sound.
   function asString(key: string): string {
     const v = values.attributes[key];
@@ -79,7 +105,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <input
           class="checkbox checkbox-sm"
           type="checkbox"
-          aria-label={field.label}
           aria-invalid={Boolean(errors[field.key])}
           aria-describedby={errors[field.key] ? `err-${field.key}` : undefined}
           checked={asBool(field.key)}
@@ -92,7 +117,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{field.label}</span>
         <select
           class="select"
-          aria-label={field.label}
           aria-invalid={Boolean(errors[field.key])}
           aria-describedby={errors[field.key] ? `err-${field.key}` : undefined}
           value={asString(field.key)}
@@ -107,6 +131,7 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{field.label}</span>
         <IconPicker
           {icons}
+          label={field.label}
           value={asString(field.key)}
           required={field.required ?? false}
           onChange={(name) => (values.attributes[field.key] = name)}
@@ -117,7 +142,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{field.label}</span>
         <input
           class="input"
-          aria-label={field.label}
           aria-invalid={Boolean(errors[field.key])}
           aria-describedby={errors[field.key] ? `err-${field.key}` : undefined}
           value={asString(field.key)}
@@ -134,7 +158,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{slot.label}</span>
         <textarea
           class="textarea"
-          aria-label={slot.label}
           aria-invalid={Boolean(errors[slot.name])}
           aria-describedby={errors[slot.name] ? `err-${slot.name}` : undefined}
           rows={3}
@@ -147,7 +170,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{slot.label}</span>
         <input
           class="input"
-          aria-label={slot.label}
           aria-invalid={Boolean(errors[slot.name])}
           aria-describedby={errors[slot.name] ? `err-${slot.name}` : undefined}
           value={slotString(slot.name)}
@@ -160,16 +182,17 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
 
   {#each repeatableSlots as slot (slot.name)}
     {@const items = slotItems(slot.name)}
+    {@const ids = slotIds(slot.name)}
     <fieldset class="rounded-box border border-base-300 flex flex-col gap-2 p-2">
       <legend class="text-sm font-medium">{slot.label}</legend>
-      <!-- Index key is deliberate: items are bare strings with no stable id, so the value bindings and splice/push are index-based by design. -->
-      {#each items as _, i (i)}
+      <!-- Keyed by the parallel stable id so a mid-list removal drops the right node and focus follows the data; the value still binds to the canonical items[i] string the serializer reads. -->
+      {#each ids as id, i (id)}
         <div class="flex items-center gap-2">
-          <input class="input input-sm flex-1" aria-label={`${slot.label} item`} bind:value={items[i]} />
-          <button type="button" class="btn btn-ghost btn-sm" aria-label={`Remove item ${i + 1}`} onclick={() => items.splice(i, 1)}>✕</button>
+          <input class="input input-sm flex-1" aria-label={`${slot.label} ${i + 1}`} bind:value={items[i]} />
+          <button type="button" class="btn btn-ghost btn-sm" aria-label={`Remove item ${i + 1}`} onclick={() => removeItem(slot.name, i)}>✕</button>
         </div>
       {/each}
-      <button type="button" class="btn btn-sm self-start" onclick={() => items.push('')}>Add item</button>
+      <button type="button" class="btn btn-sm self-start" onclick={() => addItem(slot.name)}>Add item</button>
       {#if errors[slot.name]}<span id={`err-${slot.name}`} role="alert" class="text-error text-xs">{errors[slot.name]}</span>{/if}
     </fieldset>
   {/each}

package/dist/components/ComponentForm.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ComponentForm.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ComponentForm.svelte.ts"],"names":[],"mappings":"AAIA,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEvE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAIhD,UAAU,KAAK;IACb,GAAG,EAAE,YAAY,CAAC;IAClB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,mEAAmE;IACnE,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,CAAC;IACrC,4BAA4B;IAC5B,MAAM,EAAE,MAAM,IAAI,CAAC;CACpB;AA8HH;;;;;GAKG;AACH,QAAA,MAAM,aAAa,2CAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}
+{"version":3,"file":"ComponentForm.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ComponentForm.svelte.ts"],"names":[],"mappings":"AAIA,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEvE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAIhD,UAAU,KAAK;IACb,GAAG,EAAE,YAAY,CAAC;IAClB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,mEAAmE;IACnE,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,CAAC;IACrC,4BAA4B;IAC5B,MAAM,EAAE,MAAM,IAAI,CAAC;CACpB;AAyJH;;;;;GAKG;AACH,QAAA,MAAM,aAAa,2CAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}

package/dist/components/EditPage.svelte

@@ -12,14 +12,13 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
   import type { IconSet } from '../render/glyph.js';
   import type { EditData } from '../sveltekit/content-routes.js';
   import type { TextareaField, TagsField, FreeTagsField } from '../content/types.js';
-  import { sanitizePreviewHtml } from '../render/sanitize.js';
 
   interface Props {
     /** The edit load's data, plus the site name for the heading. */
     data: EditData & { siteName: string };
     /** The site's component registry, for the insert palette. */
     registry?: ComponentRegistry;
-    /** The site's design-accurate render pipeline; the preview pane sanitizes its output. */
+    /** The site's design-accurate render pipeline; the preview pane renders its output, which the floored pipeline already sanitized. */
     render?: (md: string, opts?: { stagger?: boolean }) => string | Promise<string>;
     /** The site's icon set, for the guided form's icon fields. */
     icons?: IconSet;
@@ -46,8 +45,8 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
     localStorage.setItem(PREVIEW_KEY, showPreview ? '1' : '0');
   }
 
-  // Render the design-accurate preview as the body changes, debounced, and sanitize before the DOM.
-  // The sanitize is the one barrier between editor-authored markdown and the page (the editor is unsanitized).
+  // Render the design-accurate preview as the body changes, debounced. The site's render is the
+  // floored engine pipeline, so its output is already sanitized; the preview mirrors the page.
   // previewRun is a plain counter (not reactive state) used as a latest-wins guard: if a slow earlier
   // async render call resolves after a newer one has started, the stale result is discarded.
   let previewRun = 0;
@@ -58,8 +57,7 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
     const handle = setTimeout(async () => {
       try {
         const html = await render(md);
-        const safe = await sanitizePreviewHtml(html);
-        if (run === previewRun) previewHtml = safe;
+        if (run === previewRun) previewHtml = html;
       } catch {
         if (run === previewRun) previewHtml = '';
       }

package/dist/components/EditPage.svelte.d.ts

@@ -8,7 +8,7 @@ interface Props {
     };
     /** The site's component registry, for the insert palette. */
     registry?: ComponentRegistry;
-    /** The site's design-accurate render pipeline; the preview pane sanitizes its output. */
+    /** The site's design-accurate render pipeline; the preview pane renders its output, which the floored pipeline already sanitized. */
     render?: (md: string, opts?: {
         stagger?: boolean;
     }) => string | Promise<string>;

package/dist/components/EditPage.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"EditPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/EditPage.svelte.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gCAAgC,CAAC;AAK7D,UAAU,KAAK;IACb,gEAAgE;IAChE,IAAI,EAAE,QAAQ,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACtC,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,yFAAyF;IACzF,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAChF,8DAA8D;IAC9D,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAsJH;;;;GAIG;AACH,QAAA,MAAM,QAAQ,2CAAwC,CAAC;AACvD,KAAK,QAAQ,GAAG,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC;AAC5C,eAAe,QAAQ,CAAC"}
+{"version":3,"file":"EditPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/EditPage.svelte.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gCAAgC,CAAC;AAI7D,UAAU,KAAK;IACb,gEAAgE;IAChE,IAAI,EAAE,QAAQ,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACtC,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,qIAAqI;IACrI,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAChF,8DAA8D;IAC9D,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAoJH;;;;GAIG;AACH,QAAA,MAAM,QAAQ,2CAAwC,CAAC;AACvD,KAAK,QAAQ,GAAG,UAAU,CAAC,OAAO,QAAQ,CAAC,CAAC;AAC5C,eAAe,QAAQ,CAAC"}

package/dist/components/IconPicker.svelte

@@ -1,10 +1,13 @@
 <!--
 @component
-A visual icon choice over the site's IconSet. Each glyph is a toggle button; the selected one carries
-aria-pressed. When the field is optional, a None button clears the value. The glyph renders inline from
-the IconSet path data, matching the renderer's 256-unit viewBox.
+A visual icon choice over the site's IconSet. The choices form a radiogroup; each glyph is a radio
+button carrying aria-checked, and the selected one carries btn-primary for the visible state. When the
+field is optional, a None radio clears the value. A roving tabindex keeps a single tab stop and arrow
+keys move the selection, the standard radiogroup keyboard model. The glyph renders inline from the
+IconSet path data, matching the renderer's 256-unit viewBox.
 -->
 <script lang="ts">
+  import { tick } from 'svelte';
   import type { IconSet } from '../render/glyph.js';
 
   interface Props {
@@ -16,20 +19,60 @@ the IconSet path data, matching the renderer's 256-unit viewBox.
     required: boolean;
     /** Called with the new glyph name (or '' for none). */
     onChange: (name: string) => void;
+    /** The group's accessible name, threaded from the field label. Defaults to Icon. */
+    label?: string;
   }
 
-  let { icons, value, required, onChange }: Props = $props();
+  let { icons, value, required, onChange, label = 'Icon' }: Props = $props();
+
+  // The radiogroup container, used to move focus with the selection per the ARIA radiogroup pattern.
+  let group: HTMLDivElement;
 
   const names = $derived(Object.keys(icons));
+  // The selectable keys in DOM order: the optional None choice ('') first, then each glyph name.
+  // Arrow-key navigation walks this list, and the roving tabindex marks the selected key (or the
+  // first key when nothing is selected) as the single tab stop.
+  const choices = $derived(required ? names : ['', ...names]);
+  const tabStop = $derived(choices.includes(value) ? value : choices[0]);
+
+  function move(delta: number): void {
+    // Navigate relative to the focused element (the current tab stop), not the bound value. In a
+    // required group with no value, tabStop is the first radio while value is '', so a value-based
+    // origin would skip the first step.
+    const from = Math.max(0, choices.indexOf(tabStop));
+    const next = (from + delta + choices.length) % choices.length;
+    onChange(choices[next]);
+    // The roving tabindex updates reactively, so wait for the DOM then move focus onto the new tab
+    // stop. The keydown handler runs only when focus is already inside the group, so this never
+    // steals focus on mount.
+    void tick().then(() => {
+      const target = group?.querySelector<HTMLElement>('[tabindex="0"]');
+      target?.focus();
+    });
+  }
+
+  function onKeydown(e: KeyboardEvent): void {
+    if (e.key === 'ArrowRight' || e.key === 'ArrowDown') {
+      e.preventDefault();
+      move(1);
+    } else if (e.key === 'ArrowLeft' || e.key === 'ArrowUp') {
+      e.preventDefault();
+      move(-1);
+    }
+  }
 </script>
 
-<div class="flex flex-wrap gap-2" role="group" aria-label="Icon">
+<div class="flex flex-wrap gap-2" role="radiogroup" aria-label={label} bind:this={group}>
   {#if !required}
     <button
       type="button"
       class="btn btn-sm"
       class:btn-primary={value === ''}
-      aria-pressed={value === ''}
+      role="radio"
+      aria-checked={value === ''}
+      aria-label="None"
+      tabindex={tabStop === '' ? 0 : -1}
+      onkeydown={onKeydown}
       onclick={() => onChange('')}
     >None</button>
   {/if}
@@ -38,8 +81,11 @@ the IconSet path data, matching the renderer's 256-unit viewBox.
       type="button"
       class="btn btn-sm gap-1"
       class:btn-primary={value === name}
-      aria-pressed={value === name}
+      role="radio"
+      aria-checked={value === name}
       aria-label={name}
+      tabindex={tabStop === name ? 0 : -1}
+      onkeydown={onKeydown}
       onclick={() => onChange(name)}
     >
       <svg class="ec-glyph" viewBox="0 0 256 256" fill="currentColor" aria-hidden="true" width="16" height="16">

package/dist/components/IconPicker.svelte.d.ts

@@ -8,11 +8,15 @@ interface Props {
     required: boolean;
     /** Called with the new glyph name (or '' for none). */
     onChange: (name: string) => void;
+    /** The group's accessible name, threaded from the field label. Defaults to Icon. */
+    label?: string;
 }
 /**
- * A visual icon choice over the site's IconSet. Each glyph is a toggle button; the selected one carries
- * aria-pressed. When the field is optional, a None button clears the value. The glyph renders inline from
- * the IconSet path data, matching the renderer's 256-unit viewBox.
+ * A visual icon choice over the site's IconSet. The choices form a radiogroup; each glyph is a radio
+ * button carrying aria-checked, and the selected one carries btn-primary for the visible state. When the
+ * field is optional, a None radio clears the value. A roving tabindex keeps a single tab stop and arrow
+ * keys move the selection, the standard radiogroup keyboard model. The glyph renders inline from the
+ * IconSet path data, matching the renderer's 256-unit viewBox.
  */
 declare const IconPicker: import("svelte").Component<Props, {}, "">;
 type IconPicker = ReturnType<typeof IconPicker>;

package/dist/components/IconPicker.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"IconPicker.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/IconPicker.svelte.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGhD,UAAU,KAAK;IACb,kDAAkD;IAClD,KAAK,EAAE,OAAO,CAAC;IACf,yDAAyD;IACzD,KAAK,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,QAAQ,EAAE,OAAO,CAAC;IAClB,uDAAuD;IACvD,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CAClC;AA2BH;;;;GAIG;AACH,QAAA,MAAM,UAAU,2CAAwC,CAAC;AACzD,KAAK,UAAU,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC;AAChD,eAAe,UAAU,CAAC"}
+{"version":3,"file":"IconPicker.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/IconPicker.svelte.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGhD,UAAU,KAAK;IACb,kDAAkD;IAClD,KAAK,EAAE,OAAO,CAAC;IACf,yDAAyD;IACzD,KAAK,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,QAAQ,EAAE,OAAO,CAAC;IAClB,uDAAuD;IACvD,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACjC,oFAAoF;IACpF,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AA8DH;;;;;;GAMG;AACH,QAAA,MAAM,UAAU,2CAAwC,CAAC;AACzD,KAAK,UAAU,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC;AAChD,eAAe,UAAU,CAAC"}

package/dist/content/adapter.d.ts

@@ -0,0 +1,4 @@
+import type { CairnAdapter } from './types.js';
+/** Declare a site's adapter while preserving each concept's concrete schema type for typed reads. */
+export declare function defineAdapter<const A extends CairnAdapter>(adapter: A): A;
+//# sourceMappingURL=adapter.d.ts.map

package/dist/content/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../../src/lib/content/adapter.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,qGAAqG;AACrG,wBAAgB,aAAa,CAAC,KAAK,CAAC,CAAC,SAAS,YAAY,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,CAEzE"}

package/dist/content/adapter.js

@@ -0,0 +1,4 @@
+/** Declare a site's adapter while preserving each concept's concrete schema type for typed reads. */
+export function defineAdapter(adapter) {
+    return adapter;
+}

package/dist/content/concepts.js

@@ -37,8 +37,8 @@ export function normalizeConcepts(content, urlPolicy = {}, routing = CONCEPT_ROU
             routing: routing[id] ?? DEFAULT_ROUTING,
             permalink: policy.permalink ?? defaultPermalink(id),
             datePrefix: policy.datePrefix ?? 'day',
-            fields: config.fields,
-            validate: config.validate,
+            fields: config.schema.fields,
+            validate: config.schema.validate,
         });
     }
     return descriptors;

package/dist/content/schema.d.ts

@@ -0,0 +1,75 @@
+import type { FrontmatterField, ValidationResult } from './types.js';
+/** The validate input the cairn adapter takes: the raw frontmatter and the body. */
+export interface StandardInput {
+    frontmatter: Record<string, unknown>;
+    body: string;
+}
+/** A minimal local copy of the Standard Schema v1 interface (https://standardschema.dev), so the
+ *  schema is a drop-in where the ecosystem accepts a validator, with no runtime dependency. */
+export interface StandardSchemaV1<Input = unknown, Output = Input> {
+    readonly '~standard': {
+        readonly version: 1;
+        readonly vendor: string;
+        readonly validate: (value: unknown) => StandardResult<Output>;
+        readonly types?: {
+            readonly input: Input;
+            readonly output: Output;
+        };
+    };
+}
+type StandardResult<Output> = {
+    readonly value: Output;
+    readonly issues?: undefined;
+} | {
+    readonly issues: ReadonlyArray<{
+        readonly message: string;
+        readonly path?: ReadonlyArray<PropertyKey>;
+    }>;
+};
+/** Map one field descriptor to the TS type of its normalized value. text, textarea, and date
+ *  normalize to a string; a closed-vocabulary `tags` field to the option-union array. */
+type FieldValue<K extends FrontmatterField> = K extends {
+    type: 'boolean';
+} ? boolean : K extends {
+    type: 'tags';
+    options: readonly (infer O extends string)[];
+} ? O[] : K extends {
+    type: 'tags' | 'freetags';
+} ? string[] : string;
+/** Flatten an intersection into a single readable object type. */
+type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+/** The normalized frontmatter type inferred from a field tuple. A field declared
+ *  `required: true` is a required key; every other field is optional. */
+export type InferFields<F extends readonly FrontmatterField[]> = Prettify<{
+    [K in F[number] as K extends {
+        required: true;
+    } ? K['name'] : never]: FieldValue<K>;
+} & {
+    [K in F[number] as K extends {
+        required: true;
+    } ? never : K['name']]?: FieldValue<K>;
+}>;
+/** A concept's schema: the plain-data field projection, the generated validator, and the
+ *  Standard Schema conformance property. */
+export interface ConceptSchema<F extends readonly FrontmatterField[] = readonly FrontmatterField[]> {
+    /** The declared fields as plain serializable data, for the editor form. */
+    readonly fields: FrontmatterField[];
+    /** Validate raw frontmatter, returning field-keyed errors or the normalized data. */
+    validate(frontmatter: Record<string, unknown>, body: string): ValidationResult;
+    /** Standard Schema v1 conformance, for ecosystem interop. A thin adapter over `validate`. */
+    readonly '~standard': StandardSchemaV1<StandardInput, InferFields<F>>['~standard'];
+}
+/** Extract the inferred frontmatter type from a `ConceptSchema`. */
+export type Infer<S> = S extends ConceptSchema<infer F> ? InferFields<F> : never;
+/** Options for `defineFields`. `refine` runs after the per-field rules pass, for cross-field and
+ *  body-dependent checks. It is validation-only: it returns field-keyed errors to merge, or
+ *  nothing, and never transforms the data. */
+export interface DefineFieldsOptions<F extends readonly FrontmatterField[]> {
+    refine?: (data: InferFields<F>, body: string) => Record<string, string> | undefined;
+}
+/** Declare a concept's fields once. Returns the schema's faces derived from that one declaration. */
+export declare function defineFields<const F extends readonly FrontmatterField[]>(fields: F, options?: DefineFieldsOptions<F>): ConceptSchema<F>;
+export {};
+//# sourceMappingURL=schema.d.ts.map

package/dist/content/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/lib/content/schema.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGrE,oFAAoF;AACpF,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,IAAI,EAAE,MAAM,CAAC;CACd;AAED;+FAC+F;AAC/F,MAAM,WAAW,gBAAgB,CAAC,KAAK,GAAG,OAAO,EAAE,MAAM,GAAG,KAAK;IAC/D,QAAQ,CAAC,WAAW,EAAE;QACpB,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QACxB,QAAQ,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,cAAc,CAAC,MAAM,CAAC,CAAC;QAC9D,QAAQ,CAAC,KAAK,CAAC,EAAE;YAAE,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;YAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC;KACrE,CAAC;CACH;AACD,KAAK,cAAc,CAAC,MAAM,IACtB;IAAE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,CAAA;CAAE,GACvD;IAAE,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC;AAEjH;yFACyF;AACzF,KAAK,UAAU,CAAC,CAAC,SAAS,gBAAgB,IAAI,CAAC,SAAS;IAAE,IAAI,EAAE,SAAS,CAAA;CAAE,GACvE,OAAO,GACP,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,SAAS,CAAC,MAAM,CAAC,SAAS,MAAM,CAAC,EAAE,CAAA;CAAE,GACtE,CAAC,EAAE,GACH,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,GAAG,UAAU,CAAA;CAAE,GACrC,MAAM,EAAE,GACR,MAAM,CAAC;AAEf,kEAAkE;AAClE,KAAK,QAAQ,CAAC,CAAC,IAAI;KAAG,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAAE,GAAG,EAAE,CAAC;AAEjD;yEACyE;AACzE,MAAM,MAAM,WAAW,CAAC,CAAC,SAAS,SAAS,gBAAgB,EAAE,IAAI,QAAQ,CACvE;KAAG,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS;QAAE,QAAQ,EAAE,IAAI,CAAA;KAAE,GAAG,CAAC,CAAC,MAAM,CAAC,GAAG,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC;CAAE,GAAG;KACvF,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS;QAAE,QAAQ,EAAE,IAAI,CAAA;KAAE,GAAG,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;CACrF,CACF,CAAC;AAEF;4CAC4C;AAC5C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,SAAS,gBAAgB,EAAE,GAAG,SAAS,gBAAgB,EAAE;IAChG,2EAA2E;IAC3E,QAAQ,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACpC,qFAAqF;IACrF,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,gBAAgB,CAAC;IAC/E,6FAA6F;IAC7F,QAAQ,CAAC,WAAW,EAAE,gBAAgB,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;CACpF;AAED,oEAAoE;AACpE,MAAM,MAAM,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;AAqBjF;;8CAE8C;AAC9C,MAAM,WAAW,mBAAmB,CAAC,CAAC,SAAS,SAAS,gBAAgB,EAAE;IACxE,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC;CACrF;AAkBD,qGAAqG;AACrG,wBAAgB,YAAY,CAAC,KAAK,CAAC,CAAC,SAAS,SAAS,gBAAgB,EAAE,EACtE,MAAM,EAAE,CAAC,EACT,OAAO,GAAE,mBAAmB,CAAC,CAAC,CAAM,GACnC,aAAa,CAAC,CAAC,CAAC,CAwBlB"}

package/dist/content/schema.js

@@ -0,0 +1,72 @@
+import { validateFields } from './validate.js';
+// Enforce the declarative per-field rules on an already-coerced value. Rules run only on a
+// present, non-empty string value, so an absent optional field is never flagged. The first
+// failing rule per field wins, so the author sees one clear message at a time.
+function applyRules(field, value, errors, patterns) {
+    if (typeof value !== 'string' || value === '')
+        return;
+    if (field.type === 'text' || field.type === 'textarea') {
+        if (field.min != null && value.length < field.min)
+            errors[field.name] = `${field.label} must be at least ${field.min} characters`;
+        else if (field.max != null && value.length > field.max)
+            errors[field.name] = `${field.label} must be at most ${field.max} characters`;
+        else if (field.length != null && value.length !== field.length)
+            errors[field.name] = `${field.label} must be exactly ${field.length} characters`;
+        else if (field.pattern != null) {
+            const re = patterns.get(field.name);
+            if (re && !re.test(value))
+                errors[field.name] = `${field.label} is not in the expected format`;
+        }
+    }
+    else if (field.type === 'date') {
+        if (field.min != null && value < field.min)
+            errors[field.name] = `${field.label} must be on or after ${field.min}`;
+        else if (field.max != null && value > field.max)
+            errors[field.name] = `${field.label} must be on or before ${field.max}`;
+    }
+}
+// Compile each declared text/textarea pattern once, so a malformed pattern fails loudly at
+// declaration (a site config error) instead of throwing from inside validate() on every save.
+function compilePatterns(fields) {
+    const compiled = new Map();
+    for (const field of fields) {
+        if ((field.type === 'text' || field.type === 'textarea') && field.pattern != null) {
+            try {
+                compiled.set(field.name, new RegExp(field.pattern));
+            }
+            catch (cause) {
+                throw new Error(`cairn: field "${field.name}" has an invalid pattern: ${field.pattern}`, { cause });
+            }
+        }
+    }
+    return compiled;
+}
+/** Declare a concept's fields once. Returns the schema's faces derived from that one declaration. */
+export function defineFields(fields, options = {}) {
+    const list = [...fields];
+    const patterns = compilePatterns(list);
+    const validate = (frontmatter, body) => {
+        const base = validateFields(list, frontmatter);
+        if (!base.ok)
+            return base;
+        const errors = {};
+        for (const field of list)
+            applyRules(field, base.data[field.name], errors, patterns);
+        if (Object.keys(errors).length > 0)
+            return { ok: false, errors };
+        const refined = options.refine?.(base.data, body);
+        return refined && Object.keys(refined).length > 0 ? { ok: false, errors: refined } : base;
+    };
+    const standard = {
+        version: 1,
+        vendor: 'cairn',
+        validate: (value) => {
+            const { frontmatter = {}, body = '' } = (value ?? {});
+            const result = validate(frontmatter ?? {}, body ?? '');
+            return result.ok
+                ? { value: result.data }
+                : { issues: Object.entries(result.errors).map(([field, message]) => ({ message, path: [field] })) };
+        },
+    };
+    return { fields: list, validate, '~standard': standard };
+}