@glw907/cairn-cms 0.14.0 → 0.18.0

package/dist/delivery/feeds.js

@@ -13,30 +13,41 @@ function escapeXml(value) {
 function cdataSafe(value) {
     return value.replace(/]]>/g, ']]]]><![CDATA[>');
 }
-/** Format a YYYY-MM-DD (or ISO) string as an RFC-822 date in UTC, as RSS wants. */
+/** Parse a YYYY-MM-DD (or ISO) string as a UTC instant. Returns undefined for an absent or
+ *  unparseable date, so a feed omits the date field rather than emit Invalid Date or throw. */
+function parseFeedDate(date) {
+    if (!date)
+        return undefined;
+    const at = new Date(`${date.slice(0, 10)}T00:00:00.000Z`);
+    return Number.isNaN(at.getTime()) ? undefined : at;
+}
+/** Format a date as an RFC-822 string in UTC, as RSS wants, or undefined when it cannot parse. */
 function rfc822(date) {
-    return new Date(`${date.slice(0, 10)}T00:00:00.000Z`).toUTCString();
+    return parseFeedDate(date)?.toUTCString();
 }
-/** Format a YYYY-MM-DD (or ISO) string as an ISO-8601 instant in UTC. */
+/** Format a date as an ISO-8601 instant in UTC, or undefined when it cannot parse. */
 function iso(date) {
-    return new Date(`${date.slice(0, 10)}T00:00:00.000Z`).toISOString();
+    return parseFeedDate(date)?.toISOString();
 }
 /** Build an RSS 2.0 document. */
 export function buildRssFeed(channel, items) {
     const entries = items
         .map((item) => {
         const content = item.contentHtml ?? item.summary;
+        const pubDate = rfc822(item.date);
         return [
             '    <item>',
             `      <title>${escapeXml(item.title)}</title>`,
             `      <link>${escapeXml(item.url)}</link>`,
             `      <guid isPermaLink="true">${escapeXml(item.url)}</guid>`,
-            `      <pubDate>${rfc822(item.date)}</pubDate>`,
+            pubDate ? `      <pubDate>${pubDate}</pubDate>` : '',
             `      <description>${escapeXml(item.summary)}</description>`,
             // CDATA cannot contain `]]>`, so split that one sequence rather than escape the body.
             `      <content:encoded><![CDATA[${cdataSafe(content)}]]></content:encoded>`,
             '    </item>',
-        ].join('\n');
+        ]
+            .filter((line) => line !== '')
+            .join('\n');
     })
         .join('\n');
     return [
@@ -66,15 +77,19 @@ export function buildJsonFeed(channel, items) {
         feed_url: channel.feedUrl,
         ...(channel.language ? { language: channel.language } : {}),
         ...(channel.author ? { authors: [channel.author] } : {}),
-        items: items.map((item) => ({
-            id: item.url,
-            url: item.url,
-            title: item.title,
-            summary: item.summary,
-            date_published: iso(item.date),
-            ...(item.updated ? { date_modified: iso(item.updated) } : {}),
-            ...(item.contentHtml ? { content_html: item.contentHtml } : { content_text: item.summary }),
-            ...(item.tags && item.tags.length ? { tags: item.tags } : {}),
-        })),
+        items: items.map((item) => {
+            const datePublished = iso(item.date);
+            const dateModified = iso(item.updated);
+            return {
+                id: item.url,
+                url: item.url,
+                title: item.title,
+                summary: item.summary,
+                ...(datePublished ? { date_published: datePublished } : {}),
+                ...(dateModified ? { date_modified: dateModified } : {}),
+                ...(item.contentHtml ? { content_html: item.contentHtml } : { content_text: item.summary }),
+                ...(item.tags && item.tags.length ? { tags: item.tags } : {}),
+            };
+        }),
     }, null, 2);
 }

package/dist/delivery/index.d.ts

@@ -20,6 +20,7 @@ export type { Page } from './paginate.js';
 export { rssResponse, jsonFeedResponse, sitemapResponse, robotsResponse } from './responses.js';
 export { jsonLdScript } from './json-ld.js';
 export { permalink } from '../content/permalink.js';
+export { buildSiteManifest, buildLinkResolver } from './manifest.js';
 export { createPublicRoutes } from '../sveltekit/public-routes.js';
 export type { PublicRoutesDeps, ListData, TagData, TagIndexData, EntryData, } from '../sveltekit/public-routes.js';
 export { default as CairnHead } from './CairnHead.svelte';

package/dist/delivery/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/delivery/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAClE,YAAY,EAAE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC9G,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AACzD,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,YAAY,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACjE,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,YAAY,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChG,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,YAAY,EACV,gBAAgB,EAChB,QAAQ,EACR,OAAO,EACP,YAAY,EACZ,SAAS,GACV,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/delivery/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAClE,YAAY,EAAE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC9G,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AACzD,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,YAAY,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACjE,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,YAAY,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChG,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,YAAY,EACV,gBAAgB,EAChB,QAAQ,EACR,OAAO,EACP,YAAY,EACZ,SAAS,GACV,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/delivery/index.js

@@ -17,5 +17,6 @@ export { paginate } from './paginate.js';
 export { rssResponse, jsonFeedResponse, sitemapResponse, robotsResponse } from './responses.js';
 export { jsonLdScript } from './json-ld.js';
 export { permalink } from '../content/permalink.js';
+export { buildSiteManifest, buildLinkResolver } from './manifest.js';
 export { createPublicRoutes } from '../sveltekit/public-routes.js';
 export { default as CairnHead } from './CairnHead.svelte';

package/dist/delivery/manifest.d.ts

@@ -0,0 +1,13 @@
+import type { Manifest } from '../content/manifest.js';
+import type { LinkResolve } from '../content/links.js';
+import type { SiteIndex } from './site-index.js';
+import type { SiteConfig } from '../nav/site-config.js';
+import type { CairnAdapter } from '../content/types.js';
+import type { SiteGlobs } from './site-indexes.js';
+/** Build the whole-corpus manifest from a site's adapter, config, and per-concept globs. Drafts are
+ *  included and flagged, so the admin picker and the guards see the full graph. */
+export declare function buildSiteManifest<A extends CairnAdapter>(adapter: A, config: SiteConfig, globs: SiteGlobs<A>): Manifest;
+/** A resolver backed by the site index, for the build. A miss throws, so a dangling cairn: token
+ *  fails the prerender (the build backstop). The preview uses manifestLinkResolver, which marks. */
+export declare function buildLinkResolver(site: SiteIndex): LinkResolve;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/delivery/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/lib/delivery/manifest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAEnD;mFACmF;AACnF,wBAAgB,iBAAiB,CAAC,CAAC,SAAS,YAAY,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,QAAQ,CAUvH;AAED;oGACoG;AACpG,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,SAAS,GAAG,WAAW,CAM9D"}

package/dist/delivery/manifest.js

@@ -0,0 +1,31 @@
+// cairn-cms: the build-side manifest builder and the build link resolver (content-graph design).
+// buildSiteManifest mirrors createSiteIndexes: it maps the site descriptors over the per-concept
+// globs and projects each file to a manifest row. buildLinkResolver reads the site index, which is
+// fresh from the files at build, and throws on a missing target so a dangling cairn: token fails
+// the build (the backstop). The admin preview uses manifestLinkResolver instead.
+import { siteDescriptors } from './site-descriptors.js';
+import { fromGlob } from './content-index.js';
+import { emptyManifest, manifestEntryFromFile } from '../content/manifest.js';
+/** Build the whole-corpus manifest from a site's adapter, config, and per-concept globs. Drafts are
+ *  included and flagged, so the admin picker and the guards see the full graph. */
+export function buildSiteManifest(adapter, config, globs) {
+    const globRecord = globs;
+    const manifest = emptyManifest();
+    for (const descriptor of siteDescriptors(adapter, config)) {
+        const record = globRecord[descriptor.id] ?? {};
+        for (const file of fromGlob(record)) {
+            manifest.entries.push(manifestEntryFromFile(descriptor, file));
+        }
+    }
+    return manifest;
+}
+/** A resolver backed by the site index, for the build. A miss throws, so a dangling cairn: token
+ *  fails the prerender (the build backstop). The preview uses manifestLinkResolver, which marks. */
+export function buildLinkResolver(site) {
+    return (ref) => {
+        const url = site.concept(ref.concept)?.byId(ref.id)?.permalink;
+        if (!url)
+            throw new Error(`cairn link target not found: cairn:${ref.concept}/${ref.id}`);
+        return url;
+    };
+}

package/dist/delivery/site-indexes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"site-indexes.d.ts","sourceRoot":"","sources":["../../src/lib/delivery/site-indexes.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACvE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AAClD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAIxD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAgB,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE/D,oGAAoG;AACpG,MAAM,MAAM,SAAS,CAAC,CAAC,SAAS,YAAY,IAAI;KAC7C,CAAC,IAAI,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CACnD,CAAC;AAEF;0EAC0E;AAC1E,MAAM,MAAM,WAAW,CAAC,CAAC,SAAS,YAAY,IAAI;KAC/C,CAAC,IAAI,MAAM,CAAC,CAAC,SAAS,CAAC,GAAG,YAAY,CACrC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CACjG;CACF,GAAG;IAAE,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAA;CAAE,CAAC;AAEjC;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,CAAC,CAAC,SAAS,YAAY,EAC5D,OAAO,EAAE,CAAC,EACV,MAAM,EAAE,UAAU,EAClB,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,EACnB,IAAI,GAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAA;CAAO,GAChC,WAAW,CAAC,CAAC,CAAC,CAYhB"}
+{"version":3,"file":"site-indexes.d.ts","sourceRoot":"","sources":["../../src/lib/delivery/site-indexes.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACvE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AAClD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAIxD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAgB,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE/D,oGAAoG;AACpG,MAAM,MAAM,SAAS,CAAC,CAAC,SAAS,YAAY,IAAI;KAC7C,CAAC,IAAI,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CACnD,CAAC;AAEF;0EAC0E;AAC1E,MAAM,MAAM,WAAW,CAAC,CAAC,SAAS,YAAY,IAAI;KAC/C,CAAC,IAAI,MAAM,CAAC,CAAC,SAAS,CAAC,GAAG,YAAY,CACrC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CACjG;CACF,GAAG;IAAE,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAA;CAAE,CAAC;AAEjC;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,CAAC,CAAC,SAAS,YAAY,EAC5D,OAAO,EAAE,CAAC,EACV,MAAM,EAAE,UAAU,EAClB,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,EACnB,IAAI,GAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAA;CAAO,GAChC,WAAW,CAAC,CAAC,CAAC,CAwBhB"}

package/dist/delivery/site-indexes.js

@@ -9,10 +9,18 @@ import { createSiteIndex } from './site-index.js';
  */
 export function createSiteIndexes(adapter, config, globs, opts = {}) {
     const descriptors = siteDescriptors(adapter, config);
+    const globRecord = globs;
     const byConcept = {};
     const conceptIndexes = [];
     for (const descriptor of descriptors) {
-        const record = globs[descriptor.id] ?? {};
+        if (descriptor.id === 'site') {
+            throw new Error('createSiteIndexes: a concept cannot be named "site", which is the reserved cross-concept resolver key');
+        }
+        if (!Object.prototype.hasOwnProperty.call(globRecord, descriptor.id)) {
+            const passed = Object.keys(globRecord);
+            throw new Error(`createSiteIndexes: no glob passed for concept "${descriptor.id}"; pass its import.meta.glob (an empty {} for an intentionally empty concept). Globs passed: ${passed.length ? passed.join(', ') : '(none)'}`);
+        }
+        const record = globRecord[descriptor.id] ?? {};
         const index = createContentIndex(fromGlob(record), descriptor);
         byConcept[descriptor.id] = index;
         conceptIndexes.push({ descriptor, index });

package/dist/env.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/lib/env.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE;IAAE,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAMrE;AAED;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE;IAAE,OAAO,CAAC,EAAE,UAAU,CAAA;CAAE,GAAG,UAAU,CAKnE"}
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/lib/env.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE;IAAE,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAmBrE;AAED;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE;IAAE,OAAO,CAAC,EAAE,UAAU,CAAA;CAAE,GAAG,UAAU,CAKnE"}

package/dist/env.js

@@ -11,6 +11,20 @@ export function requireOrigin(env) {
     if (!origin) {
         throw new Error('PUBLIC_ORIGIN is not configured');
     }
+    let hostname;
+    try {
+        hostname = new URL(origin).hostname;
+    }
+    catch {
+        throw new Error(`PUBLIC_ORIGIN is not a valid URL, got ${origin}`);
+    }
+    // The magic-link origin must be https in production so the link and the __Host- cookie are
+    // origin-bound. http is allowed only for local dev on localhost or 127.0.0.1, matched exactly so
+    // a lookalike host like localhost.example.com cannot skip the https requirement.
+    const isLocal = hostname === 'localhost' || hostname === '127.0.0.1';
+    if (!origin.startsWith('https://') && !isLocal) {
+        throw new Error(`PUBLIC_ORIGIN must be https in production, got ${origin}`);
+    }
     return origin;
 }
 /**

package/dist/github/repo.d.ts

@@ -45,5 +45,26 @@ export declare function commitFile(repo: RepoRef, path: string, content: string,
     message: string;
     author: CommitAuthor;
 }, token: string): Promise<string>;
+/** A path change for an atomic commit: write `content`, or delete the path when `content` is null. */
+export interface FileChange {
+    path: string;
+    content: string | null;
+}
+/**
+ * Commit several path changes in one commit over the Git Data API. The author is the editor; the
+ * committer is omitted, so GitHub attributes the commit to the App. Returns the new commit sha.
+ * Builds the new tree on the current head's tree, so paths not named here are preserved.
+ *
+ * Caller preconditions this layer cannot enforce (the save and lifecycle paths must): every
+ * `path` is confined to the site's content directories (the App token can write anywhere in the
+ * repo), and `author` is derived from the verified server-side session, never request input.
+ *
+ * An empty change set is rejected, since it would otherwise push an empty commit that triggers a
+ * site redeploy for no content change.
+ */
+export declare function commitFiles(repo: RepoRef, changes: FileChange[], opts: {
+    message: string;
+    author: CommitAuthor;
+}, token: string): Promise<string>;
 export {};
 //# sourceMappingURL=repo.d.ts.map

package/dist/github/repo.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"repo.d.ts","sourceRoot":"","sources":["../../src/lib/github/repo.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAelE,iEAAiE;AACjE,wBAAgB,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,CAE7C;AAED,qFAAqF;AACrF,UAAU,SAAS;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAOD;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,CAW1E;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAMlG;AAED,6EAA6E;AAC7E,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKjG;AAOD,+EAA+E;AAC/E,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKhG;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,OAAO,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,EAC/C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAiBjB"}
+{"version":3,"file":"repo.d.ts","sourceRoot":"","sources":["../../src/lib/github/repo.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAelE,iEAAiE;AACjE,wBAAgB,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,CAE7C;AAED,qFAAqF;AACrF,UAAU,SAAS;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAOD;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,CAW1E;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAMlG;AAED,6EAA6E;AAC7E,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKjG;AAOD,+EAA+E;AAC/E,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKhG;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,OAAO,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,EAC/C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAiBjB;AAED,sGAAsG;AACtG,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AA8CD;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,OAAO,EACb,OAAO,EAAE,UAAU,EAAE,EACrB,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,EAC/C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAkCjB"}

package/dist/github/repo.js

@@ -121,3 +121,82 @@ export async function commitFile(repo, path, content, opts, token) {
         throw new Error(`GitHub commit ${path} failed: ${res.status} ${await res.text()}`);
     return (await res.json()).commit.sha;
 }
+/** A Git Data API URL under the repo's `git/` namespace. */
+function gitUrl(repo, suffix) {
+    return `${API}/repos/${repo.owner}/${repo.repo}/git/${suffix}`;
+}
+/** The branch head commit sha, through the Git Data API single-ref read. */
+async function headCommitSha(repo, token) {
+    const res = await fetch(gitUrl(repo, `ref/heads/${encodeURIComponent(repo.branch)}`), {
+        headers: ghHeaders('application/vnd.github+json', token),
+    });
+    if (!res.ok)
+        throw new Error(`GitHub ref ${repo.branch} failed: ${res.status}`);
+    return (await res.json()).object.sha;
+}
+/** The base tree sha of a commit. */
+async function commitTreeSha(repo, commitSha, token) {
+    const res = await fetch(gitUrl(repo, `commits/${commitSha}`), {
+        headers: ghHeaders('application/vnd.github+json', token),
+    });
+    if (!res.ok)
+        throw new Error(`GitHub commit ${commitSha} failed: ${res.status}`);
+    return (await res.json()).tree.sha;
+}
+/** Map file changes to Git Trees API entries, encoding a null content as a delete. */
+function treeChanges(changes) {
+    return changes.map((c) => c.content === null
+        ? { path: c.path, mode: '100644', type: 'blob', sha: null }
+        : { path: c.path, mode: '100644', type: 'blob', content: c.content });
+}
+/** Retries after the initial attempt when the branch moves under an atomic commit. */
+const COMMIT_RETRIES = 3;
+/**
+ * Commit several path changes in one commit over the Git Data API. The author is the editor; the
+ * committer is omitted, so GitHub attributes the commit to the App. Returns the new commit sha.
+ * Builds the new tree on the current head's tree, so paths not named here are preserved.
+ *
+ * Caller preconditions this layer cannot enforce (the save and lifecycle paths must): every
+ * `path` is confined to the site's content directories (the App token can write anywhere in the
+ * repo), and `author` is derived from the verified server-side session, never request input.
+ *
+ * An empty change set is rejected, since it would otherwise push an empty commit that triggers a
+ * site redeploy for no content change.
+ */
+export async function commitFiles(repo, changes, opts, token) {
+    if (changes.length === 0)
+        throw new Error('commitFiles: no changes to commit');
+    const tree = treeChanges(changes);
+    for (let attempt = 0; attempt <= COMMIT_RETRIES; attempt++) {
+        const parent = await headCommitSha(repo, token);
+        const baseTree = await commitTreeSha(repo, parent, token);
+        const treeRes = await fetch(gitUrl(repo, 'trees'), {
+            method: 'POST',
+            headers: { ...ghHeaders('application/vnd.github+json', token), 'Content-Type': 'application/json' },
+            body: JSON.stringify({ base_tree: baseTree, tree }),
+        });
+        if (!treeRes.ok)
+            throw new Error(`GitHub tree create failed: ${treeRes.status} ${await treeRes.text()}`);
+        const newTree = (await treeRes.json()).sha;
+        const commitRes = await fetch(gitUrl(repo, 'commits'), {
+            method: 'POST',
+            headers: { ...ghHeaders('application/vnd.github+json', token), 'Content-Type': 'application/json' },
+            body: JSON.stringify({ message: opts.message, tree: newTree, parents: [parent], author: opts.author }),
+        });
+        if (!commitRes.ok)
+            throw new Error(`GitHub commit create failed: ${commitRes.status} ${await commitRes.text()}`);
+        const newCommit = (await commitRes.json()).sha;
+        const refRes = await fetch(gitUrl(repo, `refs/heads/${encodeURIComponent(repo.branch)}`), {
+            method: 'PATCH',
+            headers: { ...ghHeaders('application/vnd.github+json', token), 'Content-Type': 'application/json' },
+            body: JSON.stringify({ sha: newCommit, force: false }),
+        });
+        if (refRes.ok)
+            return newCommit;
+        // A non-fast-forward means the branch moved; retry on the new head so a concurrent commit
+        // is preserved. Any other failure is not a race, so surface it.
+        if (refRes.status !== 422)
+            throw new Error(`GitHub ref update failed: ${refRes.status} ${await refRes.text()}`);
+    }
+    throw new CommitConflictError(`${repo.branch} (atomic commit)`);
+}

package/dist/github/signing.d.ts

@@ -3,6 +3,18 @@ import type { AppCredentials } from './types.js';
 export declare function appJwt(appId: string, privateKeyPem: string): Promise<string>;
 /** Exchange the App JWT for a short-lived installation access token. */
 export declare function installationToken(creds: AppCredentials): Promise<string>;
+/**
+ * Build an installation-token cache. A module-global instance memoizes the minted token per
+ * installation for most of its one-hour life, so a warm Worker isolate reuses it across requests
+ * instead of re-signing and re-calling GitHub on every list and commit. A cold isolate re-mints,
+ * which is always safe. This mirrors the default of @octokit/auth-app, which caches installation
+ * tokens in memory and returns them until expiry. The TTL stays under GitHub's documented one-hour
+ * lifetime, so a fixed margin avoids parsing the API expiry. `mint` and `now` are injected so the
+ * cache is testable with no network call and no real clock.
+ */
+export declare function createInstallationTokenCache(mint?: (creds: AppCredentials) => Promise<string>, now?: () => number, ttlMs?: number): (creds: AppCredentials) => Promise<string>;
+/** The shared installation-token cache, one instance per Worker isolate. */
+export declare const cachedInstallationToken: (creds: AppCredentials) => Promise<string>;
 /**
  * Deploy-time self-test for the App signer: sign a dummy JWT with the configured key. It
  * exercises the brittle PKCS#1-to-PKCS#8 conversion and the Web Crypto import and sign with

package/dist/github/signing.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../src/lib/github/signing.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AA0CjD,wFAAwF;AACxF,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAclF;AAED,wEAAwE;AACxE,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAa9E;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAQrH"}
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../src/lib/github/signing.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AA0CjD,wFAAwF;AACxF,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAclF;AAED,wEAAwE;AACxE,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAa9E;AAOD;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAC1C,IAAI,GAAE,CAAC,KAAK,EAAE,cAAc,KAAK,OAAO,CAAC,MAAM,CAAqB,EACpE,GAAG,GAAE,MAAM,MAAyB,EACpC,KAAK,SAAiB,GACrB,CAAC,KAAK,EAAE,cAAc,KAAK,OAAO,CAAC,MAAM,CAAC,CAS5C;AAED,4EAA4E;AAC5E,eAAO,MAAM,uBAAuB,UAZzB,cAAc,KAAK,OAAO,CAAC,MAAM,CAYyB,CAAC;AAEtE;;;;;;GAMG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAQrH"}

package/dist/github/signing.js

@@ -59,6 +59,28 @@ export async function installationToken(creds) {
         throw new Error(`GitHub installation token failed: ${res.status}`);
     return (await res.json()).token;
 }
+/**
+ * Build an installation-token cache. A module-global instance memoizes the minted token per
+ * installation for most of its one-hour life, so a warm Worker isolate reuses it across requests
+ * instead of re-signing and re-calling GitHub on every list and commit. A cold isolate re-mints,
+ * which is always safe. This mirrors the default of @octokit/auth-app, which caches installation
+ * tokens in memory and returns them until expiry. The TTL stays under GitHub's documented one-hour
+ * lifetime, so a fixed margin avoids parsing the API expiry. `mint` and `now` are injected so the
+ * cache is testable with no network call and no real clock.
+ */
+export function createInstallationTokenCache(mint = installationToken, now = () => Date.now(), ttlMs = 55 * 60 * 1000) {
+    const cache = new Map();
+    return async function get(creds) {
+        const hit = cache.get(creds.installationId);
+        if (hit && hit.expiresAt > now())
+            return hit.token;
+        const token = await mint(creds);
+        cache.set(creds.installationId, { token, expiresAt: now() + ttlMs });
+        return token;
+    };
+}
+/** The shared installation-token cache, one instance per Worker isolate. */
+export const cachedInstallationToken = createInstallationTokenCache();
 /**
  * Deploy-time self-test for the App signer: sign a dummy JWT with the configured key. It
  * exercises the brittle PKCS#1-to-PKCS#8 conversion and the Web Crypto import and sign with

package/dist/index.d.ts

@@ -11,6 +11,10 @@ export { defineAdapter } from './content/adapter.js';
 export type { ConceptSchema, Infer, InferFields, DefineFieldsOptions, StandardInput, StandardSchemaV1 } from './content/schema.js';
 export { isValidId, idFromFilename, filenameFromId, slugify, slugFromId, composeDatedId, } from './content/ids.js';
 export type { DatePrefix } from './content/ids.js';
+export { parseCairnToken, extractCairnLinks } from './content/links.js';
+export type { CairnRef, LinkResolve } from './content/links.js';
+export { serializeManifest, parseManifest, emptyManifest, verifyManifest, upsertEntry, removeEntry, manifestEntryFromFile, manifestLinkResolver, } from './content/manifest.js';
+export type { Manifest, ManifestEntry, LinkTarget } from './content/manifest.js';
 export { defineRegistry, emptyValues } from './render/registry.js';
 export type { ComponentDef, ComponentRegistry, FieldType, AttributeField, SlotKind, SlotDef, ComponentValues, } from './render/registry.js';
 export { serializeComponent, parseComponent } from './render/component-grammar.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC7D,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAGnE,YAAY,EACV,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,SAAS,EACT,YAAY,EACZ,SAAS,EACT,aAAa,EACb,gBAAgB,EAChB,aAAa,EACb,YAAY,EACZ,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,UAAU,EACV,YAAY,GACb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACxF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,iBAAiB,EACjB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,YAAY,EAAE,aAAa,EAAE,KAAK,EAAE,WAAW,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACnI,OAAO,EACL,SAAS,EACT,cAAc,EACd,cAAc,EACd,OAAO,EACP,UAAU,EACV,cAAc,GACf,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,SAAS,EACT,cAAc,EACd,QAAQ,EACR,OAAO,EACP,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AACnF,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,YAAY,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAAE,KAAK,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC1F,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,YAAY,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACxE,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,YAAY,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EACL,cAAc,EACd,SAAS,EACT,OAAO,EACP,QAAQ,EACR,SAAS,EACT,aAAa,GACd,MAAM,6BAA6B,CAAC;AACrC,YAAY,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,YAAY,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAG5D,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EACL,OAAO,EACP,eAAe,EACf,YAAY,EACZ,WAAW,EACX,OAAO,EACP,OAAO,EACP,UAAU,GACX,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,YAAY,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAG5D,OAAO,EACL,eAAe,EACf,aAAa,EACb,WAAW,EACX,OAAO,EACP,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAKhE,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAC3E,YAAY,EACV,OAAO,EACP,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,cAAc,GACf,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAClE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,YAAY,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC1E,YAAY,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,YAAY,EAAE,IAAI,EAAE,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC7D,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAGnE,YAAY,EACV,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,SAAS,EACT,YAAY,EACZ,SAAS,EACT,aAAa,EACb,gBAAgB,EAChB,aAAa,EACb,YAAY,EACZ,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,UAAU,EACV,YAAY,GACb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACxF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,iBAAiB,EACjB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,YAAY,EAAE,aAAa,EAAE,KAAK,EAAE,WAAW,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACnI,OAAO,EACL,SAAS,EACT,cAAc,EACd,cAAc,EACd,OAAO,EACP,UAAU,EACV,cAAc,GACf,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAInD,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACxE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAChE,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,aAAa,EACb,cAAc,EACd,WAAW,EACX,WAAW,EACX,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,QAAQ,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEjF,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,SAAS,EACT,cAAc,EACd,QAAQ,EACR,OAAO,EACP,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AACnF,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,YAAY,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAAE,KAAK,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC1F,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,YAAY,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AACxE,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,YAAY,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EACL,cAAc,EACd,SAAS,EACT,OAAO,EACP,QAAQ,EACR,SAAS,EACT,aAAa,GACd,MAAM,6BAA6B,CAAC;AACrC,YAAY,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,YAAY,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAG5D,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EACL,OAAO,EACP,eAAe,EACf,YAAY,EACZ,WAAW,EACX,OAAO,EACP,OAAO,EACP,UAAU,GACX,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,YAAY,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAG5D,OAAO,EACL,eAAe,EACf,aAAa,EACb,WAAW,EACX,OAAO,EACP,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAKhE,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAC3E,YAAY,EACV,OAAO,EACP,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,cAAc,GACf,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAClE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,YAAY,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC1E,YAAY,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,YAAY,EAAE,IAAI,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/index.js

@@ -8,6 +8,11 @@ export { frontmatterFromForm, dateInputValue, serializeMarkdown, parseMarkdown,
 export { defineFields } from './content/schema.js';
 export { defineAdapter } from './content/adapter.js';
 export { isValidId, idFromFilename, filenameFromId, slugify, slugFromId, composeDatedId, } from './content/ids.js';
+// Internal-link token and the committed content manifest (content-graph design). The corpus
+// builder and the request-time resolver ship from the delivery entry; this surface is the
+// grammar, the manifest operations, and their types a migrating site adopts.
+export { parseCairnToken, extractCairnLinks } from './content/links.js';
+export { serializeManifest, parseManifest, emptyManifest, verifyManifest, upsertEntry, removeEntry, manifestEntryFromFile, manifestLinkResolver, } from './content/manifest.js';
 // Render engine (Plan 04): generic directive pipeline; sites own the component registry.
 export { defineRegistry, emptyValues } from './render/registry.js';
 export { serializeComponent, parseComponent } from './render/component-grammar.js';

package/dist/render/pipeline.d.ts

@@ -1,10 +1,21 @@
 import { type PluggableList } from 'unified';
+import type { Schema } from 'hast-util-sanitize';
 import type { ComponentRegistry } from './registry.js';
+import type { LinkResolve } from '../content/links.js';
 export interface RendererOptions {
     /** Stamp a `data-rise` ordinal (0, 1, 2, …) on each top-level component so a site's
      *  CSS can drive an entrance-cascade delay off it. Omit for no stagger. The ordinal
      *  is inert, so a consumer's sanitize floor can keep `data-rise` and drop `style`. */
     stagger?: boolean;
+    /** Extend the sanitize allowlist. Receives cairn's default schema (defaultSchema plus the
+     *  directive markers and the common benign tags) and returns the schema to use. Add to the
+     *  allowlist for the benign HTML a site's content needs; start from the argument so the
+     *  dangerous strip is preserved. */
+    sanitizeSchema?: (defaults: Schema) => Schema;
+    /** Developer-only escape hatch: disable the sanitize floor entirely. This reintroduces the XSS
+     *  vector the floor closes, so it is only for a site whose content is fully developer-controlled.
+     *  It is a code-level adapter decision, never an editor-facing setting. */
+    unsafeDisableSanitize?: boolean;
 }
 /** Compose a site's render pipeline from its component registry: directive syntax to
  *  stamped markers to registry-built hast. Returns `renderMarkdown` plus the remark/
@@ -12,6 +23,8 @@ export interface RendererOptions {
 export declare function createRenderer(registry: ComponentRegistry, options?: RendererOptions): {
     remarkPlugins: PluggableList;
     rehypePlugins: PluggableList;
-    renderMarkdown: (content: string) => Promise<string>;
+    renderMarkdown: (content: string, opts?: {
+        resolve?: LinkResolve;
+    }) => Promise<string>;
 };
 //# sourceMappingURL=pipeline.d.ts.map

package/dist/render/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/lib/render/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAW,KAAK,aAAa,EAAE,MAAM,SAAS,CAAC;AAUtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,WAAW,eAAe;IAC9B;;0FAEsF;IACtF,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;uFAEuF;AACvF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,GAAE,eAAoB;;;8BAarD,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;EAE3D"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/lib/render/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAW,KAAK,aAAa,EAAE,MAAM,SAAS,CAAC;AAStD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAMjD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACvD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,MAAM,WAAW,eAAe;IAC9B;;0FAEsF;IACtF,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;wCAGoC;IACpC,cAAc,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9C;;+EAE2E;IAC3E,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAED;;uFAEuF;AACvF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,GAAE,eAAoB;;;8BAyBrD,MAAM,SAAQ;QAAE,OAAO,CAAC,EAAE,WAAW,CAAA;KAAE,KAAQ,OAAO,CAAC,MAAM,CAAC;EAKjG"}

package/dist/render/pipeline.js

@@ -6,14 +6,30 @@ import remarkRehype from 'remark-rehype';
 import rehypeRaw from 'rehype-raw';
 import rehypeSlug from 'rehype-slug';
 import rehypeStringify from 'rehype-stringify';
+import rehypeSanitize from 'rehype-sanitize';
+import { VFile } from 'vfile';
+import { buildSanitizeSchema, rehypeAnchorRel } from './sanitize-schema.js';
 import { remarkDirectiveStamp } from './remark-directives.js';
+import { remarkResolveCairnLinks, CAIRN_RESOLVE } from './resolve-links.js';
 import { rehypeDispatch } from './rehype-dispatch.js';
 /** Compose a site's render pipeline from its component registry: directive syntax to
  *  stamped markers to registry-built hast. Returns `renderMarkdown` plus the remark/
  *  rehype plugin arrays (so the admin editor preview can reuse the exact same set). */
 export function createRenderer(registry, options = {}) {
-    const remarkPlugins = [remarkDirective, [remarkDirectiveStamp, registry]];
-    const rehypePlugins = [rehypeRaw, [rehypeDispatch, registry, options.stagger], rehypeSlug];
+    const remarkPlugins = [remarkDirective, [remarkDirectiveStamp, registry], remarkResolveCairnLinks];
+    // The sanitize floor runs after rehype-raw (so author raw HTML is parsed, then cleaned) and
+    // before the dispatch (so the site's trusted build() output and its inline SVG icons are never
+    // sanitized). The anchor-rel hardening runs last so it also covers component-built anchors.
+    const floor = options.unsafeDisableSanitize
+        ? []
+        : [[rehypeSanitize, buildSanitizeSchema(registry, options.sanitizeSchema)]];
+    const rehypePlugins = [
+        rehypeRaw,
+        ...floor,
+        [rehypeDispatch, registry, options.stagger],
+        rehypeSlug,
+        rehypeAnchorRel,
+    ];
     const processor = unified()
         .use(remarkParse)
         .use(remarkGfm)
@@ -24,6 +40,9 @@ export function createRenderer(registry, options = {}) {
     return {
         remarkPlugins,
         rehypePlugins,
-        renderMarkdown: async (content) => String(await processor.process(content)),
+        renderMarkdown: async (content, opts = {}) => {
+            const file = new VFile({ value: content, data: { [CAIRN_RESOLVE]: opts.resolve } });
+            return String(await processor.process(file));
+        },
     };
 }

package/dist/render/resolve-links.d.ts

@@ -0,0 +1,8 @@
+import type { VFile } from 'vfile';
+/** The VFile data key the renderer sets the per-call resolver under. */
+export declare const CAIRN_RESOLVE = "cairnResolve";
+/** Resolve cairn: link nodes against the VFile's resolver. A non-cairn href and a malformed token
+ *  pass through. A missing target is marked with the cairn-broken-link class (the resolver returns
+ *  undefined) or, when the resolver throws, the error propagates and fails the build. */
+export declare function remarkResolveCairnLinks(): (tree: unknown, file: VFile) => void;
+//# sourceMappingURL=resolve-links.d.ts.map

package/dist/render/resolve-links.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-links.d.ts","sourceRoot":"","sources":["../../src/lib/render/resolve-links.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC;AAGnC,wEAAwE;AACxE,eAAO,MAAM,aAAa,iBAAiB,CAAC;AAO5C;;yFAEyF;AACzF,wBAAgB,uBAAuB,KAC7B,MAAM,OAAO,EAAE,MAAM,KAAK,KAAG,IAAI,CAoB1C"}

package/dist/render/resolve-links.js

@@ -0,0 +1,36 @@
+// cairn-cms: the cairn: link resolver, an mdast step in the render pipeline (content-graph design).
+// It runs before remark-rehype, so the rewritten href passes through the sanitize floor exactly as
+// any other anchor. The per-call resolver is read off the VFile (set by renderMarkdown), so the
+// processor is still built once. A miss either marks the link broken (preview) or throws (build),
+// decided by the injected resolver.
+import { visit } from 'unist-util-visit';
+import { parseCairnToken } from '../content/links.js';
+/** The VFile data key the renderer sets the per-call resolver under. */
+export const CAIRN_RESOLVE = 'cairnResolve';
+/** Resolve cairn: link nodes against the VFile's resolver. A non-cairn href and a malformed token
+ *  pass through. A missing target is marked with the cairn-broken-link class (the resolver returns
+ *  undefined) or, when the resolver throws, the error propagates and fails the build. */
+export function remarkResolveCairnLinks() {
+    return (tree, file) => {
+        const resolve = file.data[CAIRN_RESOLVE];
+        if (!resolve)
+            return;
+        visit(tree, 'link', (node) => {
+            const ref = parseCairnToken(node.url);
+            if (!ref)
+                return;
+            const url = resolve(ref); // may throw (build backstop); propagates out of render
+            if (url) {
+                node.url = url;
+                return;
+            }
+            // Missing target in the preview: mark it broken and neutralize the href, keeping the text.
+            node.url = '#';
+            node.data = node.data ?? {};
+            const props = (node.data.hProperties = node.data.hProperties ?? {});
+            const existing = Array.isArray(props.className) ? props.className : [];
+            props.className = [...existing, 'cairn-broken-link'];
+            props.title = 'Broken internal link';
+        });
+    };
+}

package/dist/render/sanitize-schema.d.ts

@@ -0,0 +1,20 @@
+import { type Schema } from 'hast-util-sanitize';
+import type { Root } from 'hast';
+import { type ComponentRegistry } from './registry.js';
+/**
+ * Build the delivery sanitize schema. Starts from hast-util-sanitize's defaultSchema, the
+ * GitHub-lineage allowlist that strips scripts, inline event handlers, and javascript:/data: URLs,
+ * then adds exactly what cairn's render needs. The directive markers (the fixed ones plus the
+ * dataAttr<Key> markers derived from the registry) survive so the dispatch reads its stamps after
+ * the floor. The benign author tags real content uses (nav, details, summary) and class/target/rel
+ * on anchors are admitted. A site extends the result through `extend`, always starting from this
+ * safe base, so it can add to the allowlist but not weaken the core strip.
+ */
+export declare function buildSanitizeSchema(registry: ComponentRegistry, extend?: (defaults: Schema) => Schema): Schema;
+/**
+ * Force rel="noopener noreferrer" on every target="_blank" anchor, to prevent reverse-tabnabbing.
+ * hast-util-sanitize runs no per-node hook, so this small transform carries the behavior the old
+ * DOMPurify preview pass enforced, now on the delivered output as well.
+ */
+export declare function rehypeAnchorRel(): (tree: Root) => void;
+//# sourceMappingURL=sanitize-schema.d.ts.map

package/dist/render/sanitize-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize-schema.d.ts","sourceRoot":"","sources":["../../src/lib/render/sanitize-schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAChE,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,MAAM,CAAC;AAE1C,OAAO,EAAgB,KAAK,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAMrE;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,GACpC,MAAM,CA6BR;AAED;;;;GAIG;AACH,wBAAgB,eAAe,KACrB,MAAM,IAAI,UAOnB"}