@glw907/cairn-cms 0.14.0 → 0.17.0

package/dist/sveltekit/auth-routes.js

@@ -3,8 +3,8 @@
 // against a sink. The confirm-load, confirm, and logout handlers arrive in Task 6.
 import { redirect } from '@sveltejs/kit';
 import { requireOrigin, requireDb } from '../env.js';
-import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, COOKIE_NAME, } from '../auth/crypto.js';
-import { findEditor, issueToken, consumeToken, createSession, deleteSession } from '../auth/store.js';
+import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, SEND_COOLDOWN_MS, sessionCookieName, } from '../auth/crypto.js';
+import { findEditor, issueToken, consumeToken, createSession, deleteSession, recentlyIssued } from '../auth/store.js';
 import { buildMagicLinkMessage, cloudflareSend } from '../email.js';
 export function createAuthRoutes(config) {
     const send = config.send ?? cloudflareSend;
@@ -21,11 +21,27 @@ export function createAuthRoutes(config) {
         const email = String(form.get('email') ?? '').trim().toLowerCase();
         const editor = email ? await findEditor(db, email) : null;
         if (editor) {
-            const token = generateToken();
             const now = Date.now();
-            await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
-            const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-            await send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link }));
+            // Per-email cooldown: skip the reissue and send when a token for this email was issued within
+            // the window, so the endpoint cannot flood an editor's inbox. The response is unchanged, so
+            // the non-leak property holds.
+            if (!(await recentlyIssued(db, email, now - SEND_COOLDOWN_MS))) {
+                const token = generateToken();
+                await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
+                const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
+                // The token row is the security-critical write the email depends on, so it is awaited. The
+                // send is a post-response side effect, handed to waitUntil so a slow email provider does not
+                // hold the response. An absent waitUntil (local dev, tests) falls back to await. A send
+                // failure is logged so observability survives a backgrounded send.
+                const sending = send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link })).catch((err) => console.error('cairn: magic-link send failed', err));
+                // adapter-cloudflare exposes the ExecutionContext as platform.ctx; platform.context is a
+                // deprecated alias kept as a fallback so an adapter that drops it keeps backgrounding.
+                const ctx = event.platform?.ctx ?? event.platform?.context;
+                if (ctx?.waitUntil)
+                    ctx.waitUntil(sending);
+                else
+                    await sending;
+            }
         }
         return { sent: true };
     }
@@ -62,11 +78,12 @@ export function createAuthRoutes(config) {
             throw redirect(303, '/admin/login?error=expired');
         const id = generateSessionId();
         await createSession(db, id, email, now + SESSION_TTL_MS, now);
-        event.cookies.set(COOKIE_NAME, id, {
+        const secure = event.url.protocol === 'https:';
+        event.cookies.set(sessionCookieName(secure), id, {
             path: '/',
             httpOnly: true,
-            // Secure on HTTPS (every real deploy); off on local http dev so the cookie sticks.
-            secure: event.url.protocol === 'https:',
+            // __Host- needs Secure unconditionally on https; local http dev drops the prefix and Secure.
+            secure,
             sameSite: 'lax',
             maxAge: Math.floor(SESSION_TTL_MS / 1000),
         });
@@ -75,10 +92,11 @@ export function createAuthRoutes(config) {
     /** POST /admin/auth/logout. Deletes the session row and clears the cookie. */
     async function logoutAction(event) {
         const db = requireDb(event.platform?.env ?? {});
-        const id = event.cookies.get(COOKIE_NAME);
+        const name = sessionCookieName(event.url.protocol === 'https:');
+        const id = event.cookies.get(name);
         if (id)
             await deleteSession(db, id);
-        event.cookies.delete(COOKIE_NAME, { path: '/' });
+        event.cookies.delete(name, { path: '/' });
         throw redirect(303, '/admin/login');
     }
     return { loginLoad, requestAction, confirmLoad, confirmAction, logoutAction };

package/dist/sveltekit/content-routes.js

@@ -8,7 +8,7 @@ import { frontmatterFromForm, parseMarkdown, dateInputValue, serializeMarkdown }
 import { isValidId, slugify, filenameFromId, composeDatedId } from '../content/ids.js';
 import { appCredentials } from '../github/credentials.js';
 import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
-import { installationToken } from '../github/signing.js';
+import { cachedInstallationToken } from '../github/signing.js';
 import { CommitConflictError } from '../github/types.js';
 /** The signed-in editor the guard resolved, or a login redirect. Kept local to decouple event shapes. */
 function sessionOf(event) {
@@ -25,7 +25,7 @@ function conceptOf(runtime, params) {
     return concept;
 }
 export function createContentRoutes(runtime, deps = {}) {
-    const mintToken = deps.mintToken ?? ((env) => installationToken(appCredentials(runtime.backend, env)));
+    const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
     /** Layout load for every admin page: the nav, the user, and the active path. */
     function layoutLoad(event) {
         const editor = sessionOf(event);

package/dist/sveltekit/guard.d.ts

@@ -1,6 +1,6 @@
 import type { Editor } from '../auth/types.js';
 import type { HandleInput, RequestContext } from './types.js';
-/** The SvelteKit `Handle` that guards `/admin/**`. */
+/** The SvelteKit `Handle` that guards `/admin/**` and hardens admin responses. */
 export declare function createAuthGuard(): ({ event, resolve }: HandleInput) => Promise<Response>;
 /** For a protected load/action: the session the guard already resolved, or a login redirect. */
 export declare function requireSession(event: RequestContext): Editor;

package/dist/sveltekit/guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/guard.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAW9D,sDAAsD;AACtD,wBAAgB,eAAe,KACA,oBAAoB,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC,CAYjF;AAED,gGAAgG;AAChG,wBAAgB,cAAc,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI5D;AAED,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI1D"}
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/guard.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAwB9D,kFAAkF;AAClF,wBAAgB,eAAe,KACA,oBAAoB,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC,CAcjF;AAED,gGAAgG;AAChG,wBAAgB,cAAc,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI5D;AAED,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI1D"}

package/dist/sveltekit/guard.js

@@ -3,7 +3,7 @@
 // stays free of a site's App.* ambient types.
 import { redirect, error } from '@sveltejs/kit';
 import { resolveSession } from '../auth/store.js';
-import { COOKIE_NAME } from '../auth/crypto.js';
+import { sessionCookieName } from '../auth/crypto.js';
 /** The login page and the auth endpoints are public; everything else under /admin is gated. */
 function isPublicAdminPath(pathname) {
     return pathname === '/admin/login' || pathname.startsWith('/admin/auth/');
@@ -11,20 +11,35 @@ function isPublicAdminPath(pathname) {
 function isAdminPath(pathname) {
     return pathname === '/admin' || pathname.startsWith('/admin/');
 }
-/** The SvelteKit `Handle` that guards `/admin/**`. */
+/**
+ * Attach the baseline security headers to an admin response. No full CSP; see the auth-hardening
+ * design. frame-ancestors is the modern clickjacking control and the one CSP directive included.
+ */
+function applySecurityHeaders(headers) {
+    headers.set('X-Content-Type-Options', 'nosniff');
+    headers.set('X-Frame-Options', 'DENY');
+    headers.set('Content-Security-Policy', "frame-ancestors 'none'");
+    headers.set('Referrer-Policy', 'no-referrer');
+    headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
+    headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+}
+/** The SvelteKit `Handle` that guards `/admin/**` and hardens admin responses. */
 export function createAuthGuard() {
     return async function handle({ event, resolve }) {
         const { pathname } = event.url;
-        if (!isAdminPath(pathname) || isPublicAdminPath(pathname)) {
+        if (!isAdminPath(pathname))
             return resolve(event);
+        if (!isPublicAdminPath(pathname)) {
+            const env = event.platform?.env ?? {};
+            const id = event.cookies.get(sessionCookieName(event.url.protocol === 'https:'));
+            const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
+            if (!editor)
+                throw redirect(303, '/admin/login');
+            event.locals.editor = editor;
         }
-        const env = event.platform?.env ?? {};
-        const id = event.cookies.get(COOKIE_NAME);
-        const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
-        if (!editor)
-            throw redirect(303, '/admin/login');
-        event.locals.editor = editor;
-        return resolve(event);
+        const response = await resolve(event);
+        applySecurityHeaders(response.headers);
+        return response;
     };
 }
 /** For a protected load/action: the session the guard already resolved, or a login redirect. */

package/dist/sveltekit/nav-routes.js

@@ -3,7 +3,7 @@
 // and commit paths are unit-testable against a fetch double with an injected token.
 import { redirect, error } from '@sveltejs/kit';
 import { appCredentials } from '../github/credentials.js';
-import { installationToken } from '../github/signing.js';
+import { cachedInstallationToken } from '../github/signing.js';
 import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
 import { CommitConflictError } from '../github/types.js';
 import { parseSiteConfig, extractMenu, validateNavTree, setMenu } from '../nav/site-config.js';
@@ -19,7 +19,7 @@ function isConflict(err) {
     return err instanceof CommitConflictError || err?.name === 'CommitConflictError';
 }
 export function createNavRoutes(runtime, deps = {}) {
-    const mintToken = deps.mintToken ?? ((env) => installationToken(appCredentials(runtime.backend, env)));
+    const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
     /** List page-like concepts (routable, not dated) for the URL picker. Best-effort per concept. */
     async function pageOptions(token) {
         const pageConcepts = runtime.concepts.filter((c) => c.routing.routable && !c.routing.dated);

package/dist/sveltekit/public-routes.js

@@ -38,7 +38,7 @@ export function createPublicRoutes(deps) {
             ...(image ? { image } : {}),
             ...(fields.robots ? { robots: fields.robots } : {}),
             ...(fields.author ? { author: fields.author } : {}),
-            feeds,
+            ...(entry.date ? { feeds } : {}),
         });
         return { entry, html: await render(entry.body, { stagger: true }), canonicalUrl, seo, newer, older };
     }

package/dist/sveltekit/types.d.ts

@@ -22,6 +22,12 @@ export interface RequestContext {
     };
     platform?: {
         env?: AuthEnv;
+        ctx?: {
+            waitUntil(promise: Promise<unknown>): void;
+        };
+        context?: {
+            waitUntil(promise: Promise<unknown>): void;
+        };
     };
     setHeaders(headers: Record<string, string>): void;
 }

package/dist/sveltekit/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACtC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC/D,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACpD;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,GAAG,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,SAAS,CAAC;IACnB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAG7B,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;CAC9D"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACtC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC/D,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACpD;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,GAAG,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,SAAS,CAAC;IACnB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QACT,GAAG,CAAC,EAAE,OAAO,CAAC;QACd,GAAG,CAAC,EAAE;YAAE,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAA;SAAE,CAAC;QACrD,OAAO,CAAC,EAAE;YAAE,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAA;SAAE,CAAC;KAC1D,CAAC;IAGF,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;CAC9D"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.14.0",
+  "version": "0.17.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "sideEffects": [
@@ -73,11 +73,12 @@
     "@types/hast": "^3.0.4",
     "@types/mdast": "^4.0.4",
     "codemirror": "^6.0.2",
-    "dompurify": "^3.4.7",
     "gray-matter": "^4",
+    "hast-util-sanitize": "^5.0.2",
     "hastscript": "^9.0.1",
     "mdast-util-directive": "^3.1.0",
     "rehype-raw": "^7.0.0",
+    "rehype-sanitize": "^6.0.0",
     "rehype-slug": "^6.0.0",
     "rehype-stringify": "^10.0.1",
     "remark-directive": "^4.0.0",

package/src/lib/auth/crypto.ts

@@ -2,8 +2,17 @@
 // code runs unchanged in workerd. The store keeps only the hash of a token, never the
 // token itself (spec 7.1).
 
-/** The session cookie name. */
-export const COOKIE_NAME = 'cairn_session';
+/** The base session cookie name, prefixed with __Host- when the cookie is Secure. */
+const COOKIE_BASE = 'cairn_session';
+
+/**
+ * The session cookie name. On https the cookie is Secure and takes the __Host- prefix, which
+ * binds it to the origin (the browser enforces Secure, Path=/, and no Domain). On local http
+ * dev the prefix is dropped, since __Host- requires Secure and the dev cookie cannot set it.
+ */
+export function sessionCookieName(secure: boolean): string {
+  return secure ? `__Host-${COOKIE_BASE}` : COOKIE_BASE;
+}
 
 /** Magic-link tokens live 10 minutes. */
 export const TOKEN_TTL_MS = 10 * 60 * 1000;
@@ -11,6 +20,9 @@ export const TOKEN_TTL_MS = 10 * 60 * 1000;
 /** Sessions live 30 days. */
 export const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000;
 
+/** A magic link is sent at most once per email per minute, to throttle inbox flooding. */
+export const SEND_COOLDOWN_MS = 60 * 1000;
+
 function randomBase64Url(byteLength = 32): string {
   const bytes = new Uint8Array(byteLength);
   crypto.getRandomValues(bytes);

package/src/lib/auth/store.ts

@@ -28,13 +28,23 @@ export async function issueToken(
   now: number,
 ): Promise<void> {
   await db.batch([
-    db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+    // Replace this email's prior token, and sweep any expired token while here (no cron needed).
+    db.prepare('DELETE FROM magic_token WHERE email = ? OR expires_at <= ?').bind(email, now),
     db
       .prepare('INSERT INTO magic_token (token_hash, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
       .bind(tokenHash, email, expiresAt, now),
   ]);
 }
 
+/** True when a magic-link token for this email was issued at or after `since`, for the send cooldown. */
+export async function recentlyIssued(db: D1Database, email: string, since: number): Promise<boolean> {
+  const row = await db
+    .prepare('SELECT 1 AS one FROM magic_token WHERE email = ? AND created_at >= ? LIMIT 1')
+    .bind(email, since)
+    .first<{ one: number }>();
+  return row != null;
+}
+
 /**
  * Consume a token in one atomic statement. A returned email means the token was present and
  * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.
@@ -55,10 +65,13 @@ export async function createSession(
   expiresAt: number,
   now: number,
 ): Promise<void> {
-  await db
-    .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
-    .bind(id, email, expiresAt, now)
-    .run();
+  await db.batch([
+    // Sweep expired sessions on login, so abandoned rows do not accumulate (no cron needed).
+    db.prepare('DELETE FROM session WHERE expires_at <= ?').bind(now),
+    db
+      .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
+      .bind(id, email, expiresAt, now),
+  ]);
 }
 
 /**

package/src/lib/components/EditPage.svelte

@@ -12,14 +12,13 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
   import type { IconSet } from '../render/glyph.js';
   import type { EditData } from '../sveltekit/content-routes.js';
   import type { TextareaField, TagsField, FreeTagsField } from '../content/types.js';
-  import { sanitizePreviewHtml } from '../render/sanitize.js';
 
   interface Props {
     /** The edit load's data, plus the site name for the heading. */
     data: EditData & { siteName: string };
     /** The site's component registry, for the insert palette. */
     registry?: ComponentRegistry;
-    /** The site's design-accurate render pipeline; the preview pane sanitizes its output. */
+    /** The site's design-accurate render pipeline; the preview pane renders its output, which the floored pipeline already sanitized. */
     render?: (md: string, opts?: { stagger?: boolean }) => string | Promise<string>;
     /** The site's icon set, for the guided form's icon fields. */
     icons?: IconSet;
@@ -46,8 +45,8 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
     localStorage.setItem(PREVIEW_KEY, showPreview ? '1' : '0');
   }
 
-  // Render the design-accurate preview as the body changes, debounced, and sanitize before the DOM.
-  // The sanitize is the one barrier between editor-authored markdown and the page (the editor is unsanitized).
+  // Render the design-accurate preview as the body changes, debounced. The site's render is the
+  // floored engine pipeline, so its output is already sanitized; the preview mirrors the page.
   // previewRun is a plain counter (not reactive state) used as a latest-wins guard: if a slow earlier
   // async render call resolves after a newer one has started, the stale result is discarded.
   let previewRun = 0;
@@ -58,8 +57,7 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
     const handle = setTimeout(async () => {
       try {
         const html = await render(md);
-        const safe = await sanitizePreviewHtml(html);
-        if (run === previewRun) previewHtml = safe;
+        if (run === previewRun) previewHtml = html;
       } catch {
         if (run === previewRun) previewHtml = '';
       }

package/src/lib/delivery/content-index.ts

@@ -84,18 +84,21 @@ export function createContentIndex<F = Record<string, unknown>>(
   descriptor: ConceptDescriptor,
 ): ContentIndex<F> {
   const problems: ContentProblem[] = [];
-  const entries: ContentEntry<F>[] = files.map((file) => {
+  const entries: ContentEntry<F>[] = [];
+  for (const file of files) {
     const id = idFromFilename(basename(file.path));
     const slug = slugFromId(id, descriptor.routing.dated ? descriptor.datePrefix : null);
     const { frontmatter: raw, body } = parseMarkdown(file.raw);
     const date = asDate(raw.date);
     const draft = raw.draft === true;
-    // Validate once at build. The cheap summary stays raw-derived and robust; the typed detail
-    // frontmatter carries the normalized data on success, the raw frontmatter on failure. A
-    // failure is recorded, not thrown, so the query surface does not explode on construction.
+    // Validate once at build. A failure is recorded for the site gate and excluded from the typed
+    // read, so every readable entry's frontmatter is the validator's normalized output, never raw.
     const result = descriptor.validate(raw, body);
-    if (!result.ok) problems.push({ id, draft, errors: result.errors });
-    return {
+    if (!result.ok) {
+      problems.push({ id, draft, errors: result.errors });
+      continue;
+    }
+    entries.push({
       id,
       slug,
       permalink: permalink(descriptor, { id, slug, date }),
@@ -106,10 +109,10 @@ export function createContentIndex<F = Record<string, unknown>>(
       excerpt: deriveExcerpt(body, { description: asString(raw.description) }),
       wordCount: wordCount(body),
       draft,
-      frontmatter: (result.ok ? result.data : raw) as F,
+      frontmatter: result.data as F,
       body,
-    };
-  });
+    });
+  }
 
   // Dated concepts sort newest-first; undated concepts (Pages) sort by title.
   const sorted = [...entries].sort((a, b) =>

package/src/lib/delivery/feeds.ts

@@ -17,7 +17,7 @@ export interface FeedChannel {
 export interface FeedItem {
   title: string;
   url: string;
-  date: string;
+  date?: string;
   updated?: string;
   summary: string;
   contentHtml?: string;
@@ -37,14 +37,22 @@ function cdataSafe(value: string): string {
   return value.replace(/]]>/g, ']]]]><![CDATA[>');
 }
 
-/** Format a YYYY-MM-DD (or ISO) string as an RFC-822 date in UTC, as RSS wants. */
-function rfc822(date: string): string {
-  return new Date(`${date.slice(0, 10)}T00:00:00.000Z`).toUTCString();
+/** Parse a YYYY-MM-DD (or ISO) string as a UTC instant. Returns undefined for an absent or
+ *  unparseable date, so a feed omits the date field rather than emit Invalid Date or throw. */
+function parseFeedDate(date?: string): Date | undefined {
+  if (!date) return undefined;
+  const at = new Date(`${date.slice(0, 10)}T00:00:00.000Z`);
+  return Number.isNaN(at.getTime()) ? undefined : at;
 }
 
-/** Format a YYYY-MM-DD (or ISO) string as an ISO-8601 instant in UTC. */
-function iso(date: string): string {
-  return new Date(`${date.slice(0, 10)}T00:00:00.000Z`).toISOString();
+/** Format a date as an RFC-822 string in UTC, as RSS wants, or undefined when it cannot parse. */
+function rfc822(date?: string): string | undefined {
+  return parseFeedDate(date)?.toUTCString();
+}
+
+/** Format a date as an ISO-8601 instant in UTC, or undefined when it cannot parse. */
+function iso(date?: string): string | undefined {
+  return parseFeedDate(date)?.toISOString();
 }
 
 /** Build an RSS 2.0 document. */
@@ -52,17 +60,20 @@ export function buildRssFeed(channel: FeedChannel, items: FeedItem[]): string {
   const entries = items
     .map((item) => {
       const content = item.contentHtml ?? item.summary;
+      const pubDate = rfc822(item.date);
       return [
         '    <item>',
         `      <title>${escapeXml(item.title)}</title>`,
         `      <link>${escapeXml(item.url)}</link>`,
         `      <guid isPermaLink="true">${escapeXml(item.url)}</guid>`,
-        `      <pubDate>${rfc822(item.date)}</pubDate>`,
+        pubDate ? `      <pubDate>${pubDate}</pubDate>` : '',
         `      <description>${escapeXml(item.summary)}</description>`,
         // CDATA cannot contain `]]>`, so split that one sequence rather than escape the body.
         `      <content:encoded><![CDATA[${cdataSafe(content)}]]></content:encoded>`,
         '    </item>',
-      ].join('\n');
+      ]
+        .filter((line) => line !== '')
+        .join('\n');
     })
     .join('\n');
 
@@ -95,16 +106,20 @@ export function buildJsonFeed(channel: FeedChannel, items: FeedItem[]): string {
       feed_url: channel.feedUrl,
       ...(channel.language ? { language: channel.language } : {}),
       ...(channel.author ? { authors: [channel.author] } : {}),
-      items: items.map((item) => ({
-        id: item.url,
-        url: item.url,
-        title: item.title,
-        summary: item.summary,
-        date_published: iso(item.date),
-        ...(item.updated ? { date_modified: iso(item.updated) } : {}),
-        ...(item.contentHtml ? { content_html: item.contentHtml } : { content_text: item.summary }),
-        ...(item.tags && item.tags.length ? { tags: item.tags } : {}),
-      })),
+      items: items.map((item) => {
+        const datePublished = iso(item.date);
+        const dateModified = iso(item.updated);
+        return {
+          id: item.url,
+          url: item.url,
+          title: item.title,
+          summary: item.summary,
+          ...(datePublished ? { date_published: datePublished } : {}),
+          ...(dateModified ? { date_modified: dateModified } : {}),
+          ...(item.contentHtml ? { content_html: item.contentHtml } : { content_text: item.summary }),
+          ...(item.tags && item.tags.length ? { tags: item.tags } : {}),
+        };
+      }),
     },
     null,
     2,

package/src/lib/delivery/site-indexes.ts

@@ -39,10 +39,22 @@ export function createSiteIndexes<const A extends CairnAdapter>(
   opts: { validate?: boolean } = {},
 ): SiteIndexes<A> {
   const descriptors = siteDescriptors(adapter, config);
+  const globRecord = globs as Record<string, Record<string, string> | undefined>;
   const byConcept: Record<string, ContentIndex> = {};
   const conceptIndexes: ConceptIndex[] = [];
   for (const descriptor of descriptors) {
-    const record = (globs as Record<string, Record<string, string> | undefined>)[descriptor.id] ?? {};
+    if (descriptor.id === 'site') {
+      throw new Error(
+        'createSiteIndexes: a concept cannot be named "site", which is the reserved cross-concept resolver key',
+      );
+    }
+    if (!Object.prototype.hasOwnProperty.call(globRecord, descriptor.id)) {
+      const passed = Object.keys(globRecord);
+      throw new Error(
+        `createSiteIndexes: no glob passed for concept "${descriptor.id}"; pass its import.meta.glob (an empty {} for an intentionally empty concept). Globs passed: ${passed.length ? passed.join(', ') : '(none)'}`,
+      );
+    }
+    const record = globRecord[descriptor.id] ?? {};
     const index = createContentIndex(fromGlob(record), descriptor);
     byConcept[descriptor.id] = index;
     conceptIndexes.push({ descriptor, index });

package/src/lib/env.ts

@@ -13,6 +13,19 @@ export function requireOrigin(env: { PUBLIC_ORIGIN?: string }): string {
   if (!origin) {
     throw new Error('PUBLIC_ORIGIN is not configured');
   }
+  let hostname: string;
+  try {
+    hostname = new URL(origin).hostname;
+  } catch {
+    throw new Error(`PUBLIC_ORIGIN is not a valid URL, got ${origin}`);
+  }
+  // The magic-link origin must be https in production so the link and the __Host- cookie are
+  // origin-bound. http is allowed only for local dev on localhost or 127.0.0.1, matched exactly so
+  // a lookalike host like localhost.example.com cannot skip the https requirement.
+  const isLocal = hostname === 'localhost' || hostname === '127.0.0.1';
+  if (!origin.startsWith('https://') && !isLocal) {
+    throw new Error(`PUBLIC_ORIGIN must be https in production, got ${origin}`);
+  }
   return origin;
 }
 

package/src/lib/github/signing.ts

@@ -79,6 +79,38 @@ export async function installationToken(creds: AppCredentials): Promise<string>
   return ((await res.json()) as { token: string }).token;
 }
 
+interface CachedToken {
+  token: string;
+  expiresAt: number;
+}
+
+/**
+ * Build an installation-token cache. A module-global instance memoizes the minted token per
+ * installation for most of its one-hour life, so a warm Worker isolate reuses it across requests
+ * instead of re-signing and re-calling GitHub on every list and commit. A cold isolate re-mints,
+ * which is always safe. This mirrors the default of @octokit/auth-app, which caches installation
+ * tokens in memory and returns them until expiry. The TTL stays under GitHub's documented one-hour
+ * lifetime, so a fixed margin avoids parsing the API expiry. `mint` and `now` are injected so the
+ * cache is testable with no network call and no real clock.
+ */
+export function createInstallationTokenCache(
+  mint: (creds: AppCredentials) => Promise<string> = installationToken,
+  now: () => number = () => Date.now(),
+  ttlMs = 55 * 60 * 1000,
+): (creds: AppCredentials) => Promise<string> {
+  const cache = new Map<string, CachedToken>();
+  return async function get(creds: AppCredentials): Promise<string> {
+    const hit = cache.get(creds.installationId);
+    if (hit && hit.expiresAt > now()) return hit.token;
+    const token = await mint(creds);
+    cache.set(creds.installationId, { token, expiresAt: now() + ttlMs });
+    return token;
+  };
+}
+
+/** The shared installation-token cache, one instance per Worker isolate. */
+export const cachedInstallationToken = createInstallationTokenCache();
+
 /**
  * Deploy-time self-test for the App signer: sign a dummy JWT with the configured key. It
  * exercises the brittle PKCS#1-to-PKCS#8 conversion and the Web Crypto import and sign with

package/src/lib/render/pipeline.ts

@@ -6,6 +6,9 @@ import remarkRehype from 'remark-rehype';
 import rehypeRaw from 'rehype-raw';
 import rehypeSlug from 'rehype-slug';
 import rehypeStringify from 'rehype-stringify';
+import rehypeSanitize from 'rehype-sanitize';
+import type { Schema } from 'hast-util-sanitize';
+import { buildSanitizeSchema, rehypeAnchorRel } from './sanitize-schema.js';
 import { remarkDirectiveStamp } from './remark-directives.js';
 import { rehypeDispatch } from './rehype-dispatch.js';
 import type { ComponentRegistry } from './registry.js';
@@ -15,6 +18,15 @@ export interface RendererOptions {
    *  CSS can drive an entrance-cascade delay off it. Omit for no stagger. The ordinal
    *  is inert, so a consumer's sanitize floor can keep `data-rise` and drop `style`. */
   stagger?: boolean;
+  /** Extend the sanitize allowlist. Receives cairn's default schema (defaultSchema plus the
+   *  directive markers and the common benign tags) and returns the schema to use. Add to the
+   *  allowlist for the benign HTML a site's content needs; start from the argument so the
+   *  dangerous strip is preserved. */
+  sanitizeSchema?: (defaults: Schema) => Schema;
+  /** Developer-only escape hatch: disable the sanitize floor entirely. This reintroduces the XSS
+   *  vector the floor closes, so it is only for a site whose content is fully developer-controlled.
+   *  It is a code-level adapter decision, never an editor-facing setting. */
+  unsafeDisableSanitize?: boolean;
 }
 
 /** Compose a site's render pipeline from its component registry: directive syntax to
@@ -22,7 +34,19 @@ export interface RendererOptions {
  *  rehype plugin arrays (so the admin editor preview can reuse the exact same set). */
 export function createRenderer(registry: ComponentRegistry, options: RendererOptions = {}) {
   const remarkPlugins: PluggableList = [remarkDirective, [remarkDirectiveStamp, registry]];
-  const rehypePlugins: PluggableList = [rehypeRaw, [rehypeDispatch, registry, options.stagger], rehypeSlug];
+  // The sanitize floor runs after rehype-raw (so author raw HTML is parsed, then cleaned) and
+  // before the dispatch (so the site's trusted build() output and its inline SVG icons are never
+  // sanitized). The anchor-rel hardening runs last so it also covers component-built anchors.
+  const floor: PluggableList = options.unsafeDisableSanitize
+    ? []
+    : [[rehypeSanitize, buildSanitizeSchema(registry, options.sanitizeSchema)]];
+  const rehypePlugins: PluggableList = [
+    rehypeRaw,
+    ...floor,
+    [rehypeDispatch, registry, options.stagger],
+    rehypeSlug,
+    rehypeAnchorRel,
+  ];
   const processor = unified()
     .use(remarkParse)
     .use(remarkGfm)