@glw907/cairn-cms 0.11.0 → 0.17.0

package/dist/render/remark-directives.js

@@ -1,4 +1,19 @@
 import { visit } from 'unist-util-visit';
+import { dataAttrProp } from './registry.js';
+// mdast-util-directive carries the `[label]` as a paragraph whose `data.directiveLabel` is set.
+function isDirectiveLabel(node) {
+    return Boolean(node.data?.directiveLabel);
+}
+// Stamp data-slot on a child so the rehype dispatch partitioner can route it. For a nested
+// container directive we also set hName so it renders as a <div> wrapper rather than being
+// dropped as an unknown directive.
+function markSlot(node, name) {
+    const n = node;
+    const data = n.data ?? (n.data = {});
+    if (n.type === 'containerDirective')
+        data.hName = 'div';
+    data.hProperties = { ...(data.hProperties ?? {}), dataSlot: name };
+}
 // Reconstruct a directive's authored attribute block (`{#id .class key="value"}`).
 // Accidental prose directives carry none, so this is almost always empty.
 function serializeAttributes(attributes) {
@@ -42,6 +57,7 @@ export function remarkDirectiveStamp(registry) {
         visit(tree, 'containerDirective', (node) => {
             if (!known.has(node.name))
                 return;
+            const def = registry.get(node.name);
             const attrs = node.attributes ?? {};
             const role = attrs.role || undefined;
             let icon = attrs.icon || undefined;
@@ -52,9 +68,30 @@ export function remarkDirectiveStamp(registry) {
                 properties.dataIcon = icon;
             if (role)
                 properties.dataRole = role;
+            // Carry every declared attribute to hast so the dispatch partitioner can build the
+            // component context. data-attr-<key> survives to the element; build() consumes it and
+            // returns a fresh element, so the marker never reaches the published DOM.
+            for (const field of def?.attributes ?? []) {
+                const raw = attrs[field.key];
+                if (raw != null)
+                    properties[dataAttrProp(field.key)] = raw;
+            }
             const data = node.data ?? (node.data = {});
             data.hName = 'div';
             data.hProperties = properties;
+            // Mark the title label paragraph and the nested slot directives so they survive to hast
+            // and the partitioner can find them. A slot named in the component schema (other than the
+            // default body) is a nested container directive; the title is the directive [label].
+            const slotNames = new Set((def?.slots ?? []).map((s) => s.name));
+            for (const child of node.children) {
+                if (isDirectiveLabel(child) && slotNames.has('title')) {
+                    markSlot(child, 'title');
+                }
+                else if (child.type === 'containerDirective' &&
+                    slotNames.has(child.name)) {
+                    markSlot(child, child.name);
+                }
+            }
         });
         visit(tree, ['textDirective', 'leafDirective'], (node, index, parent) => {
             if (!parent || index == null)

package/dist/render/sanitize-schema.d.ts

@@ -0,0 +1,20 @@
+import { type Schema } from 'hast-util-sanitize';
+import type { Root } from 'hast';
+import { type ComponentRegistry } from './registry.js';
+/**
+ * Build the delivery sanitize schema. Starts from hast-util-sanitize's defaultSchema, the
+ * GitHub-lineage allowlist that strips scripts, inline event handlers, and javascript:/data: URLs,
+ * then adds exactly what cairn's render needs. The directive markers (the fixed ones plus the
+ * dataAttr<Key> markers derived from the registry) survive so the dispatch reads its stamps after
+ * the floor. The benign author tags real content uses (nav, details, summary) and class/target/rel
+ * on anchors are admitted. A site extends the result through `extend`, always starting from this
+ * safe base, so it can add to the allowlist but not weaken the core strip.
+ */
+export declare function buildSanitizeSchema(registry: ComponentRegistry, extend?: (defaults: Schema) => Schema): Schema;
+/**
+ * Force rel="noopener noreferrer" on every target="_blank" anchor, to prevent reverse-tabnabbing.
+ * hast-util-sanitize runs no per-node hook, so this small transform carries the behavior the old
+ * DOMPurify preview pass enforced, now on the delivered output as well.
+ */
+export declare function rehypeAnchorRel(): (tree: Root) => void;
+//# sourceMappingURL=sanitize-schema.d.ts.map

package/dist/render/sanitize-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize-schema.d.ts","sourceRoot":"","sources":["../../src/lib/render/sanitize-schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAChE,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,MAAM,CAAC;AAE1C,OAAO,EAAgB,KAAK,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAMrE;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,GACpC,MAAM,CAoBR;AAED;;;;GAIG;AACH,wBAAgB,eAAe,KACrB,MAAM,IAAI,UAOnB"}

package/dist/render/sanitize-schema.js

@@ -0,0 +1,48 @@
+import { defaultSchema } from 'hast-util-sanitize';
+import { visit } from 'unist-util-visit';
+import { dataAttrProp } from './registry.js';
+// The fixed directive markers the stamp writes and the dispatch reads. They are inert data
+// attributes, never a script vector, and must survive the floor so the dispatch still runs.
+const FIXED_MARKERS = ['dataPrimitive', 'dataSlot', 'dataIcon', 'dataRole', 'dataRise'];
+/**
+ * Build the delivery sanitize schema. Starts from hast-util-sanitize's defaultSchema, the
+ * GitHub-lineage allowlist that strips scripts, inline event handlers, and javascript:/data: URLs,
+ * then adds exactly what cairn's render needs. The directive markers (the fixed ones plus the
+ * dataAttr<Key> markers derived from the registry) survive so the dispatch reads its stamps after
+ * the floor. The benign author tags real content uses (nav, details, summary) and class/target/rel
+ * on anchors are admitted. A site extends the result through `extend`, always starting from this
+ * safe base, so it can add to the allowlist but not weaken the core strip.
+ */
+export function buildSanitizeSchema(registry, extend) {
+    const attrMarkers = registry.defs.flatMap((d) => (d.attributes ?? []).map((a) => dataAttrProp(a.key)));
+    const markers = [...FIXED_MARKERS, ...attrMarkers];
+    const attributes = defaultSchema.attributes ?? {};
+    // defaultSchema's `a` entry carries a className tuple (`['className', 'data-footnote-backref']`)
+    // that restricts a link's class to that one value. A per-tag tuple wins over a bare `*` entry, so
+    // it would strip an author's link class. Drop that tuple before admitting a free-form `className`.
+    const anchorAttrs = (attributes.a ?? []).filter((entry) => !(Array.isArray(entry) && entry[0] === 'className'));
+    const schema = {
+        ...defaultSchema,
+        tagNames: [...(defaultSchema.tagNames ?? []), 'nav', 'details', 'summary'],
+        attributes: {
+            ...attributes,
+            '*': [...(attributes['*'] ?? []), 'className', ...markers],
+            a: [...anchorAttrs, 'className', 'target', 'rel'],
+        },
+    };
+    return extend ? extend(schema) : schema;
+}
+/**
+ * Force rel="noopener noreferrer" on every target="_blank" anchor, to prevent reverse-tabnabbing.
+ * hast-util-sanitize runs no per-node hook, so this small transform carries the behavior the old
+ * DOMPurify preview pass enforced, now on the delivered output as well.
+ */
+export function rehypeAnchorRel() {
+    return (tree) => {
+        visit(tree, 'element', (node) => {
+            if (node.tagName === 'a' && node.properties?.target === '_blank') {
+                node.properties.rel = 'noopener noreferrer';
+            }
+        });
+    };
+}

package/dist/sveltekit/auth-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/auth-routes.ts"],"names":[],"mappings":"AAcA,OAAO,EAAyC,KAAK,YAAY,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAC3G,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,YAAY,CAAC;IACvB,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB;uBA2B7B,cAAc,KAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAnBjD,cAAc,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;yBA4BnE,cAAc,KACpB;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAcxB,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;0BAwBhC,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;EASnE"}
+{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/auth-routes.ts"],"names":[],"mappings":"AAeA,OAAO,EAAyC,KAAK,YAAY,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAC3G,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,YAAY,CAAC;IACvB,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB;uBA2C7B,cAAc,KAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAnCjD,cAAc,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;yBA4CnE,cAAc,KACpB;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAcxB,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;0BAyBhC,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;EAUnE"}

package/dist/sveltekit/auth-routes.js

@@ -3,8 +3,8 @@
 // against a sink. The confirm-load, confirm, and logout handlers arrive in Task 6.
 import { redirect } from '@sveltejs/kit';
 import { requireOrigin, requireDb } from '../env.js';
-import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, COOKIE_NAME, } from '../auth/crypto.js';
-import { findEditor, issueToken, consumeToken, createSession, deleteSession } from '../auth/store.js';
+import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, SEND_COOLDOWN_MS, sessionCookieName, } from '../auth/crypto.js';
+import { findEditor, issueToken, consumeToken, createSession, deleteSession, recentlyIssued } from '../auth/store.js';
 import { buildMagicLinkMessage, cloudflareSend } from '../email.js';
 export function createAuthRoutes(config) {
     const send = config.send ?? cloudflareSend;
@@ -21,11 +21,27 @@ export function createAuthRoutes(config) {
         const email = String(form.get('email') ?? '').trim().toLowerCase();
         const editor = email ? await findEditor(db, email) : null;
         if (editor) {
-            const token = generateToken();
             const now = Date.now();
-            await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
-            const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-            await send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link }));
+            // Per-email cooldown: skip the reissue and send when a token for this email was issued within
+            // the window, so the endpoint cannot flood an editor's inbox. The response is unchanged, so
+            // the non-leak property holds.
+            if (!(await recentlyIssued(db, email, now - SEND_COOLDOWN_MS))) {
+                const token = generateToken();
+                await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
+                const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
+                // The token row is the security-critical write the email depends on, so it is awaited. The
+                // send is a post-response side effect, handed to waitUntil so a slow email provider does not
+                // hold the response. An absent waitUntil (local dev, tests) falls back to await. A send
+                // failure is logged so observability survives a backgrounded send.
+                const sending = send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link })).catch((err) => console.error('cairn: magic-link send failed', err));
+                // adapter-cloudflare exposes the ExecutionContext as platform.ctx; platform.context is a
+                // deprecated alias kept as a fallback so an adapter that drops it keeps backgrounding.
+                const ctx = event.platform?.ctx ?? event.platform?.context;
+                if (ctx?.waitUntil)
+                    ctx.waitUntil(sending);
+                else
+                    await sending;
+            }
         }
         return { sent: true };
     }
@@ -62,11 +78,12 @@ export function createAuthRoutes(config) {
             throw redirect(303, '/admin/login?error=expired');
         const id = generateSessionId();
         await createSession(db, id, email, now + SESSION_TTL_MS, now);
-        event.cookies.set(COOKIE_NAME, id, {
+        const secure = event.url.protocol === 'https:';
+        event.cookies.set(sessionCookieName(secure), id, {
             path: '/',
             httpOnly: true,
-            // Secure on HTTPS (every real deploy); off on local http dev so the cookie sticks.
-            secure: event.url.protocol === 'https:',
+            // __Host- needs Secure unconditionally on https; local http dev drops the prefix and Secure.
+            secure,
             sameSite: 'lax',
             maxAge: Math.floor(SESSION_TTL_MS / 1000),
         });
@@ -75,10 +92,11 @@ export function createAuthRoutes(config) {
     /** POST /admin/auth/logout. Deletes the session row and clears the cookie. */
     async function logoutAction(event) {
         const db = requireDb(event.platform?.env ?? {});
-        const id = event.cookies.get(COOKIE_NAME);
+        const name = sessionCookieName(event.url.protocol === 'https:');
+        const id = event.cookies.get(name);
         if (id)
             await deleteSession(db, id);
-        event.cookies.delete(COOKIE_NAME, { path: '/' });
+        event.cookies.delete(name, { path: '/' });
         throw redirect(303, '/admin/login');
     }
     return { loginLoad, requestAction, confirmLoad, confirmAction, logoutAction };

package/dist/sveltekit/content-routes.js

@@ -8,7 +8,7 @@ import { frontmatterFromForm, parseMarkdown, dateInputValue, serializeMarkdown }
 import { isValidId, slugify, filenameFromId, composeDatedId } from '../content/ids.js';
 import { appCredentials } from '../github/credentials.js';
 import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
-import { installationToken } from '../github/signing.js';
+import { cachedInstallationToken } from '../github/signing.js';
 import { CommitConflictError } from '../github/types.js';
 /** The signed-in editor the guard resolved, or a login redirect. Kept local to decouple event shapes. */
 function sessionOf(event) {
@@ -25,7 +25,7 @@ function conceptOf(runtime, params) {
     return concept;
 }
 export function createContentRoutes(runtime, deps = {}) {
-    const mintToken = deps.mintToken ?? ((env) => installationToken(appCredentials(runtime.backend, env)));
+    const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
     /** Layout load for every admin page: the nav, the user, and the active path. */
     function layoutLoad(event) {
         const editor = sessionOf(event);

package/dist/sveltekit/guard.d.ts

@@ -1,6 +1,6 @@
 import type { Editor } from '../auth/types.js';
 import type { HandleInput, RequestContext } from './types.js';
-/** The SvelteKit `Handle` that guards `/admin/**`. */
+/** The SvelteKit `Handle` that guards `/admin/**` and hardens admin responses. */
 export declare function createAuthGuard(): ({ event, resolve }: HandleInput) => Promise<Response>;
 /** For a protected load/action: the session the guard already resolved, or a login redirect. */
 export declare function requireSession(event: RequestContext): Editor;

package/dist/sveltekit/guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/guard.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAW9D,sDAAsD;AACtD,wBAAgB,eAAe,KACA,oBAAoB,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC,CAYjF;AAED,gGAAgG;AAChG,wBAAgB,cAAc,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI5D;AAED,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI1D"}
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/guard.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAwB9D,kFAAkF;AAClF,wBAAgB,eAAe,KACA,oBAAoB,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC,CAcjF;AAED,gGAAgG;AAChG,wBAAgB,cAAc,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI5D;AAED,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI1D"}

package/dist/sveltekit/guard.js

@@ -3,7 +3,7 @@
 // stays free of a site's App.* ambient types.
 import { redirect, error } from '@sveltejs/kit';
 import { resolveSession } from '../auth/store.js';
-import { COOKIE_NAME } from '../auth/crypto.js';
+import { sessionCookieName } from '../auth/crypto.js';
 /** The login page and the auth endpoints are public; everything else under /admin is gated. */
 function isPublicAdminPath(pathname) {
     return pathname === '/admin/login' || pathname.startsWith('/admin/auth/');
@@ -11,20 +11,35 @@ function isPublicAdminPath(pathname) {
 function isAdminPath(pathname) {
     return pathname === '/admin' || pathname.startsWith('/admin/');
 }
-/** The SvelteKit `Handle` that guards `/admin/**`. */
+/**
+ * Attach the baseline security headers to an admin response. No full CSP; see the auth-hardening
+ * design. frame-ancestors is the modern clickjacking control and the one CSP directive included.
+ */
+function applySecurityHeaders(headers) {
+    headers.set('X-Content-Type-Options', 'nosniff');
+    headers.set('X-Frame-Options', 'DENY');
+    headers.set('Content-Security-Policy', "frame-ancestors 'none'");
+    headers.set('Referrer-Policy', 'no-referrer');
+    headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
+    headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+}
+/** The SvelteKit `Handle` that guards `/admin/**` and hardens admin responses. */
 export function createAuthGuard() {
     return async function handle({ event, resolve }) {
         const { pathname } = event.url;
-        if (!isAdminPath(pathname) || isPublicAdminPath(pathname)) {
+        if (!isAdminPath(pathname))
             return resolve(event);
+        if (!isPublicAdminPath(pathname)) {
+            const env = event.platform?.env ?? {};
+            const id = event.cookies.get(sessionCookieName(event.url.protocol === 'https:'));
+            const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
+            if (!editor)
+                throw redirect(303, '/admin/login');
+            event.locals.editor = editor;
         }
-        const env = event.platform?.env ?? {};
-        const id = event.cookies.get(COOKIE_NAME);
-        const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
-        if (!editor)
-            throw redirect(303, '/admin/login');
-        event.locals.editor = editor;
-        return resolve(event);
+        const response = await resolve(event);
+        applySecurityHeaders(response.headers);
+        return response;
     };
 }
 /** For a protected load/action: the session the guard already resolved, or a login redirect. */

package/dist/sveltekit/nav-routes.js

@@ -3,7 +3,7 @@
 // and commit paths are unit-testable against a fetch double with an injected token.
 import { redirect, error } from '@sveltejs/kit';
 import { appCredentials } from '../github/credentials.js';
-import { installationToken } from '../github/signing.js';
+import { cachedInstallationToken } from '../github/signing.js';
 import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
 import { CommitConflictError } from '../github/types.js';
 import { parseSiteConfig, extractMenu, validateNavTree, setMenu } from '../nav/site-config.js';
@@ -19,7 +19,7 @@ function isConflict(err) {
     return err instanceof CommitConflictError || err?.name === 'CommitConflictError';
 }
 export function createNavRoutes(runtime, deps = {}) {
-    const mintToken = deps.mintToken ?? ((env) => installationToken(appCredentials(runtime.backend, env)));
+    const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
     /** List page-like concepts (routable, not dated) for the URL picker. Best-effort per concept. */
     async function pageOptions(token) {
         const pageConcepts = runtime.concepts.filter((c) => c.routing.routable && !c.routing.dated);

package/dist/sveltekit/public-routes.d.ts

@@ -17,6 +17,9 @@ export interface PublicRoutesDeps {
         rss?: string;
         json?: string;
     };
+    /** A site-wide default OG image, used when an entry declares none. Resolved to absolute like the
+     *  canonical URL, so a relative path such as "/og/default.png" works. */
+    defaultImage?: string;
 }
 /** The archive and tag list data: summaries the template renders. */
 export interface ListData {

package/dist/sveltekit/public-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"public-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/public-routes.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAE3D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,oDAAoD;AACpD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/E,MAAM,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,KAAK,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACzC;AAED,qEAAqE;AACrE,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,cAAc,EAAE,CAAC;CAC3B;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAQ,SAAQ,QAAQ;IACvC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,oDAAoD;AACpD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACxC;AAED,oFAAoF;AACpF,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,YAAY,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,OAAO,CAAC;IACb,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAED,2DAA2D;AAC3D,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,gBAAgB;uBAWvB;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,KAAG,OAAO,CAAC,SAAS,CAAC;6BAoBjC,MAAM,KAAG,QAAQ;8BAKhB,MAAM,KAAG,YAAY;yBAK1B,MAAM,SAAS;QAAE,MAAM,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,KAAG,OAAO;mBAO5D;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE;EAKvC"}
+{"version":3,"file":"public-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/public-routes.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAE3D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD,oDAAoD;AACpD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/E,MAAM,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,KAAK,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC;6EACyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,qEAAqE;AACrE,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,cAAc,EAAE,CAAC;CAC3B;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAQ,SAAQ,QAAQ;IACvC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,oDAAoD;AACpD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACxC;AAED,oFAAoF;AACpF,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,YAAY,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,OAAO,CAAC;IACb,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAED,2DAA2D;AAC3D,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,gBAAgB;uBAWvB;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,KAAG,OAAO,CAAC,SAAS,CAAC;6BA0BjC,MAAM,KAAG,QAAQ;8BAKhB,MAAM,KAAG,YAAY;yBAK1B,MAAM,SAAS;QAAE,MAAM,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,KAAG,OAAO;mBAO5D;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE;EAKvC"}

package/dist/sveltekit/public-routes.js

@@ -5,9 +5,10 @@
 // from globs, so it stays in the prerender graph and out of the runtime Worker.
 import { error } from '@sveltejs/kit';
 import { buildSeoMeta } from '../delivery/seo.js';
+import { readSeoFields, resolveImageUrl } from '../delivery/seo-fields.js';
 /** Build the public loaders for a site's unified index. */
 export function createPublicRoutes(deps) {
-    const { site, render, origin, siteName, description, feeds } = deps;
+    const { site, render, origin, siteName, description, feeds, defaultImage } = deps;
     /** Resolve one concept's index by id, or a 404 (the route names an unconfigured concept). */
     function indexOf(conceptId) {
         const index = site.concept(conceptId);
@@ -22,16 +23,22 @@ export function createPublicRoutes(deps) {
             throw error(404, `Not found: ${event.url.pathname}`);
         const { newer, older } = site.adjacent(entry);
         const canonicalUrl = origin + entry.permalink;
+        const fields = readSeoFields(entry.frontmatter);
+        const rawImage = fields.image ?? defaultImage;
+        const image = rawImage ? resolveImageUrl(rawImage, origin) : undefined;
         // A dated entry is an article; an undated one (a page) is a website.
         const seo = buildSeoMeta({
             title: entry.title,
-            description: entry.frontmatter.description || entry.excerpt || description,
+            description: fields.description || entry.excerpt || description,
             canonicalUrl,
             siteName,
             type: entry.date ? 'article' : 'website',
             ...(entry.date ? { published: entry.date } : {}),
             ...(entry.updated ? { modified: entry.updated } : {}),
-            feeds,
+            ...(image ? { image } : {}),
+            ...(fields.robots ? { robots: fields.robots } : {}),
+            ...(fields.author ? { author: fields.author } : {}),
+            ...(entry.date ? { feeds } : {}),
         });
         return { entry, html: await render(entry.body, { stagger: true }), canonicalUrl, seo, newer, older };
     }

package/dist/sveltekit/types.d.ts

@@ -22,6 +22,12 @@ export interface RequestContext {
     };
     platform?: {
         env?: AuthEnv;
+        ctx?: {
+            waitUntil(promise: Promise<unknown>): void;
+        };
+        context?: {
+            waitUntil(promise: Promise<unknown>): void;
+        };
     };
     setHeaders(headers: Record<string, string>): void;
 }

package/dist/sveltekit/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACtC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC/D,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACpD;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,GAAG,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,SAAS,CAAC;IACnB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAG7B,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;CAC9D"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACtC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC/D,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACpD;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,GAAG,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,SAAS,CAAC;IACnB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QACT,GAAG,CAAC,EAAE,OAAO,CAAC;QACd,GAAG,CAAC,EAAE;YAAE,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAA;SAAE,CAAC;QACrD,OAAO,CAAC,EAAE;YAAE,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAA;SAAE,CAAC;KAC1D,CAAC;IAGF,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;CAC9D"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.11.0",
+  "version": "0.17.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "sideEffects": [
@@ -73,11 +73,12 @@
     "@types/hast": "^3.0.4",
     "@types/mdast": "^4.0.4",
     "codemirror": "^6.0.2",
-    "dompurify": "^3.4.7",
     "gray-matter": "^4",
+    "hast-util-sanitize": "^5.0.2",
     "hastscript": "^9.0.1",
     "mdast-util-directive": "^3.1.0",
     "rehype-raw": "^7.0.0",
+    "rehype-sanitize": "^6.0.0",
     "rehype-slug": "^6.0.0",
     "rehype-stringify": "^10.0.1",
     "remark-directive": "^4.0.0",

package/src/lib/auth/crypto.ts

@@ -2,8 +2,17 @@
 // code runs unchanged in workerd. The store keeps only the hash of a token, never the
 // token itself (spec 7.1).
 
-/** The session cookie name. */
-export const COOKIE_NAME = 'cairn_session';
+/** The base session cookie name, prefixed with __Host- when the cookie is Secure. */
+const COOKIE_BASE = 'cairn_session';
+
+/**
+ * The session cookie name. On https the cookie is Secure and takes the __Host- prefix, which
+ * binds it to the origin (the browser enforces Secure, Path=/, and no Domain). On local http
+ * dev the prefix is dropped, since __Host- requires Secure and the dev cookie cannot set it.
+ */
+export function sessionCookieName(secure: boolean): string {
+  return secure ? `__Host-${COOKIE_BASE}` : COOKIE_BASE;
+}
 
 /** Magic-link tokens live 10 minutes. */
 export const TOKEN_TTL_MS = 10 * 60 * 1000;
@@ -11,6 +20,9 @@ export const TOKEN_TTL_MS = 10 * 60 * 1000;
 /** Sessions live 30 days. */
 export const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000;
 
+/** A magic link is sent at most once per email per minute, to throttle inbox flooding. */
+export const SEND_COOLDOWN_MS = 60 * 1000;
+
 function randomBase64Url(byteLength = 32): string {
   const bytes = new Uint8Array(byteLength);
   crypto.getRandomValues(bytes);

package/src/lib/auth/store.ts

@@ -28,13 +28,23 @@ export async function issueToken(
   now: number,
 ): Promise<void> {
   await db.batch([
-    db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+    // Replace this email's prior token, and sweep any expired token while here (no cron needed).
+    db.prepare('DELETE FROM magic_token WHERE email = ? OR expires_at <= ?').bind(email, now),
     db
       .prepare('INSERT INTO magic_token (token_hash, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
       .bind(tokenHash, email, expiresAt, now),
   ]);
 }
 
+/** True when a magic-link token for this email was issued at or after `since`, for the send cooldown. */
+export async function recentlyIssued(db: D1Database, email: string, since: number): Promise<boolean> {
+  const row = await db
+    .prepare('SELECT 1 AS one FROM magic_token WHERE email = ? AND created_at >= ? LIMIT 1')
+    .bind(email, since)
+    .first<{ one: number }>();
+  return row != null;
+}
+
 /**
  * Consume a token in one atomic statement. A returned email means the token was present and
  * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.
@@ -55,10 +65,13 @@ export async function createSession(
   expiresAt: number,
   now: number,
 ): Promise<void> {
-  await db
-    .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
-    .bind(id, email, expiresAt, now)
-    .run();
+  await db.batch([
+    // Sweep expired sessions on login, so abandoned rows do not accumulate (no cron needed).
+    db.prepare('DELETE FROM session WHERE expires_at <= ?').bind(now),
+    db
+      .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
+      .bind(id, email, expiresAt, now),
+  ]);
 }
 
 /**

package/src/lib/components/ComponentForm.svelte

@@ -38,6 +38,32 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
     return Array.isArray(v) ? v : [];
   }
 
+  // Stable per-item ids run parallel to each repeatable slot's value array, so the {#each} keys by
+  // identity instead of index. A mid-list removal then drops the right DOM node and the focused
+  // item follows the data. Ids come from a monotonic module-local counter, never Math.random or
+  // Date.now. The value arrays in values.slots stay the canonical string lists serializeComponent
+  // reads, so the emitted markdown is unchanged. emptyValues seeds every repeatable slot to [], so
+  // the id lists start empty and stay in lockstep with the values through addItem/removeItem.
+  let nextId = 0;
+  const itemIds = $state<Record<string, number[]>>(
+    untrack(() => Object.fromEntries((def.slots ?? []).filter((s) => s.kind === 'repeatable').map((s) => [s.name, []]))),
+  );
+
+  // emptyValues and the itemIds seed both cover every repeatable slot, so this read always hits.
+  function slotIds(name: string): number[] {
+    return itemIds[name] ?? [];
+  }
+
+  function addItem(name: string): void {
+    slotItems(name).push('');
+    slotIds(name).push(nextId++);
+  }
+
+  function removeItem(name: string, index: number): void {
+    slotItems(name).splice(index, 1);
+    slotIds(name).splice(index, 1);
+  }
+
   // Typed accessors over the unions so explicit value targets stay sound.
   function asString(key: string): string {
     const v = values.attributes[key];
@@ -79,7 +105,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <input
           class="checkbox checkbox-sm"
           type="checkbox"
-          aria-label={field.label}
           aria-invalid={Boolean(errors[field.key])}
           aria-describedby={errors[field.key] ? `err-${field.key}` : undefined}
           checked={asBool(field.key)}
@@ -92,7 +117,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{field.label}</span>
         <select
           class="select"
-          aria-label={field.label}
           aria-invalid={Boolean(errors[field.key])}
           aria-describedby={errors[field.key] ? `err-${field.key}` : undefined}
           value={asString(field.key)}
@@ -107,6 +131,7 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{field.label}</span>
         <IconPicker
           {icons}
+          label={field.label}
           value={asString(field.key)}
           required={field.required ?? false}
           onChange={(name) => (values.attributes[field.key] = name)}
@@ -117,7 +142,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{field.label}</span>
         <input
           class="input"
-          aria-label={field.label}
           aria-invalid={Boolean(errors[field.key])}
           aria-describedby={errors[field.key] ? `err-${field.key}` : undefined}
           value={asString(field.key)}
@@ -134,7 +158,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{slot.label}</span>
         <textarea
           class="textarea"
-          aria-label={slot.label}
           aria-invalid={Boolean(errors[slot.name])}
           aria-describedby={errors[slot.name] ? `err-${slot.name}` : undefined}
           rows={3}
@@ -147,7 +170,6 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
         <span class="text-sm font-medium">{slot.label}</span>
         <input
           class="input"
-          aria-label={slot.label}
           aria-invalid={Boolean(errors[slot.name])}
           aria-describedby={errors[slot.name] ? `err-${slot.name}` : undefined}
           value={slotString(slot.name)}
@@ -160,16 +182,17 @@ markdown. Back returns to the picker. This is not a nested HTML form; Insert cal
 
   {#each repeatableSlots as slot (slot.name)}
     {@const items = slotItems(slot.name)}
+    {@const ids = slotIds(slot.name)}
     <fieldset class="rounded-box border border-base-300 flex flex-col gap-2 p-2">
       <legend class="text-sm font-medium">{slot.label}</legend>
-      <!-- Index key is deliberate: items are bare strings with no stable id, so the value bindings and splice/push are index-based by design. -->
-      {#each items as _, i (i)}
+      <!-- Keyed by the parallel stable id so a mid-list removal drops the right node and focus follows the data; the value still binds to the canonical items[i] string the serializer reads. -->
+      {#each ids as id, i (id)}
         <div class="flex items-center gap-2">
-          <input class="input input-sm flex-1" aria-label={`${slot.label} item`} bind:value={items[i]} />
-          <button type="button" class="btn btn-ghost btn-sm" aria-label={`Remove item ${i + 1}`} onclick={() => items.splice(i, 1)}>✕</button>
+          <input class="input input-sm flex-1" aria-label={`${slot.label} ${i + 1}`} bind:value={items[i]} />
+          <button type="button" class="btn btn-ghost btn-sm" aria-label={`Remove item ${i + 1}`} onclick={() => removeItem(slot.name, i)}>✕</button>
         </div>
       {/each}
-      <button type="button" class="btn btn-sm self-start" onclick={() => items.push('')}>Add item</button>
+      <button type="button" class="btn btn-sm self-start" onclick={() => addItem(slot.name)}>Add item</button>
       {#if errors[slot.name]}<span id={`err-${slot.name}`} role="alert" class="text-error text-xs">{errors[slot.name]}</span>{/if}
     </fieldset>
   {/each}