@glw907/cairn-cms 0.14.0 → 0.18.0

package/dist/render/sanitize-schema.js

@@ -0,0 +1,57 @@
+import { defaultSchema } from 'hast-util-sanitize';
+import { visit } from 'unist-util-visit';
+import { dataAttrProp } from './registry.js';
+// The fixed directive markers the stamp writes and the dispatch reads. They are inert data
+// attributes, never a script vector, and must survive the floor so the dispatch still runs.
+const FIXED_MARKERS = ['dataPrimitive', 'dataSlot', 'dataIcon', 'dataRole', 'dataRise'];
+/**
+ * Build the delivery sanitize schema. Starts from hast-util-sanitize's defaultSchema, the
+ * GitHub-lineage allowlist that strips scripts, inline event handlers, and javascript:/data: URLs,
+ * then adds exactly what cairn's render needs. The directive markers (the fixed ones plus the
+ * dataAttr<Key> markers derived from the registry) survive so the dispatch reads its stamps after
+ * the floor. The benign author tags real content uses (nav, details, summary) and class/target/rel
+ * on anchors are admitted. A site extends the result through `extend`, always starting from this
+ * safe base, so it can add to the allowlist but not weaken the core strip.
+ */
+export function buildSanitizeSchema(registry, extend) {
+    const attrMarkers = registry.defs.flatMap((d) => (d.attributes ?? []).map((a) => dataAttrProp(a.key)));
+    const markers = [...FIXED_MARKERS, ...attrMarkers];
+    const attributes = defaultSchema.attributes ?? {};
+    // defaultSchema's `a` entry carries a className tuple (`['className', 'data-footnote-backref']`)
+    // that restricts a link's class to that one value. A per-tag tuple wins over a bare `*` entry, so
+    // it would strip an author's link class. Drop that tuple before admitting a free-form `className`.
+    const anchorAttrs = (attributes.a ?? []).filter((entry) => !(Array.isArray(entry) && entry[0] === 'className'));
+    // Admit the inert `cairn:` href scheme on top of the default protocol allowlist. The render
+    // resolver rewrites a `cairn:` link to a live permalink before delivery; an unresolved one
+    // survives the floor in its inert token form (a visible unresolved-link signal), never as an
+    // executable vector. The dangerous-protocol strip (javascript:, data:) is preserved.
+    const protocols = defaultSchema.protocols ?? {};
+    const schema = {
+        ...defaultSchema,
+        tagNames: [...(defaultSchema.tagNames ?? []), 'nav', 'details', 'summary'],
+        attributes: {
+            ...attributes,
+            '*': [...(attributes['*'] ?? []), 'className', ...markers],
+            a: [...anchorAttrs, 'className', 'target', 'rel'],
+        },
+        protocols: {
+            ...protocols,
+            href: [...(protocols.href ?? []), 'cairn'],
+        },
+    };
+    return extend ? extend(schema) : schema;
+}
+/**
+ * Force rel="noopener noreferrer" on every target="_blank" anchor, to prevent reverse-tabnabbing.
+ * hast-util-sanitize runs no per-node hook, so this small transform carries the behavior the old
+ * DOMPurify preview pass enforced, now on the delivered output as well.
+ */
+export function rehypeAnchorRel() {
+    return (tree) => {
+        visit(tree, 'element', (node) => {
+            if (node.tagName === 'a' && node.properties?.target === '_blank') {
+                node.properties.rel = 'noopener noreferrer';
+            }
+        });
+    };
+}

package/dist/sveltekit/auth-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/auth-routes.ts"],"names":[],"mappings":"AAcA,OAAO,EAAyC,KAAK,YAAY,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAC3G,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,YAAY,CAAC;IACvB,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB;uBA2B7B,cAAc,KAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAnBjD,cAAc,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;yBA4BnE,cAAc,KACpB;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAcxB,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;0BAwBhC,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;EASnE"}
+{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/auth-routes.ts"],"names":[],"mappings":"AAeA,OAAO,EAAyC,KAAK,YAAY,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAC3G,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,YAAY,CAAC;IACvB,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB;uBA2C7B,cAAc,KAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAnCjD,cAAc,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;yBA4CnE,cAAc,KACpB;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAcxB,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;0BAyBhC,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;EAUnE"}

package/dist/sveltekit/auth-routes.js

@@ -3,8 +3,8 @@
 // against a sink. The confirm-load, confirm, and logout handlers arrive in Task 6.
 import { redirect } from '@sveltejs/kit';
 import { requireOrigin, requireDb } from '../env.js';
-import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, COOKIE_NAME, } from '../auth/crypto.js';
-import { findEditor, issueToken, consumeToken, createSession, deleteSession } from '../auth/store.js';
+import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, SEND_COOLDOWN_MS, sessionCookieName, } from '../auth/crypto.js';
+import { findEditor, issueToken, consumeToken, createSession, deleteSession, recentlyIssued } from '../auth/store.js';
 import { buildMagicLinkMessage, cloudflareSend } from '../email.js';
 export function createAuthRoutes(config) {
     const send = config.send ?? cloudflareSend;
@@ -21,11 +21,27 @@ export function createAuthRoutes(config) {
         const email = String(form.get('email') ?? '').trim().toLowerCase();
         const editor = email ? await findEditor(db, email) : null;
         if (editor) {
-            const token = generateToken();
             const now = Date.now();
-            await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
-            const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-            await send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link }));
+            // Per-email cooldown: skip the reissue and send when a token for this email was issued within
+            // the window, so the endpoint cannot flood an editor's inbox. The response is unchanged, so
+            // the non-leak property holds.
+            if (!(await recentlyIssued(db, email, now - SEND_COOLDOWN_MS))) {
+                const token = generateToken();
+                await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
+                const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
+                // The token row is the security-critical write the email depends on, so it is awaited. The
+                // send is a post-response side effect, handed to waitUntil so a slow email provider does not
+                // hold the response. An absent waitUntil (local dev, tests) falls back to await. A send
+                // failure is logged so observability survives a backgrounded send.
+                const sending = send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link })).catch((err) => console.error('cairn: magic-link send failed', err));
+                // adapter-cloudflare exposes the ExecutionContext as platform.ctx; platform.context is a
+                // deprecated alias kept as a fallback so an adapter that drops it keeps backgrounding.
+                const ctx = event.platform?.ctx ?? event.platform?.context;
+                if (ctx?.waitUntil)
+                    ctx.waitUntil(sending);
+                else
+                    await sending;
+            }
         }
         return { sent: true };
     }
@@ -62,11 +78,12 @@ export function createAuthRoutes(config) {
             throw redirect(303, '/admin/login?error=expired');
         const id = generateSessionId();
         await createSession(db, id, email, now + SESSION_TTL_MS, now);
-        event.cookies.set(COOKIE_NAME, id, {
+        const secure = event.url.protocol === 'https:';
+        event.cookies.set(sessionCookieName(secure), id, {
             path: '/',
             httpOnly: true,
-            // Secure on HTTPS (every real deploy); off on local http dev so the cookie sticks.
-            secure: event.url.protocol === 'https:',
+            // __Host- needs Secure unconditionally on https; local http dev drops the prefix and Secure.
+            secure,
             sameSite: 'lax',
             maxAge: Math.floor(SESSION_TTL_MS / 1000),
         });
@@ -75,10 +92,11 @@ export function createAuthRoutes(config) {
     /** POST /admin/auth/logout. Deletes the session row and clears the cookie. */
     async function logoutAction(event) {
         const db = requireDb(event.platform?.env ?? {});
-        const id = event.cookies.get(COOKIE_NAME);
+        const name = sessionCookieName(event.url.protocol === 'https:');
+        const id = event.cookies.get(name);
         if (id)
             await deleteSession(db, id);
-        event.cookies.delete(COOKIE_NAME, { path: '/' });
+        event.cookies.delete(name, { path: '/' });
         throw redirect(303, '/admin/login');
     }
     return { loginLoad, requestAction, confirmLoad, confirmAction, logoutAction };

package/dist/sveltekit/content-routes.d.ts

@@ -1,4 +1,5 @@
 import { type GithubKeyEnv } from '../github/credentials.js';
+import { type LinkTarget } from '../content/manifest.js';
 import type { CairnRuntime, FrontmatterField } from '../content/types.js';
 import type { Editor, Role } from '../auth/types.js';
 /** A sidebar concept entry: just enough to render the nav without shipping validators to the client. */
@@ -50,6 +51,8 @@ export interface EditData {
     isNew: boolean;
     saved: boolean;
     error: string | null;
+    /** The site's link targets, for the preview resolver and the link picker; from the committed manifest. */
+    linkTargets: LinkTarget[];
 }
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
 export interface ContentEvent {

package/dist/sveltekit/content-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"content-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/content-routes.ts"],"names":[],"mappings":"AAQA,OAAO,EAAkB,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAI7E,OAAO,KAAK,EAAE,YAAY,EAAqB,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC7F,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAErD,wGAAwG;AACxG,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;CACf;AAED,gGAAgG;AAChG,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;IAC1C,QAAQ,EAAE,UAAU,EAAE,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,yGAAyG;IACzG,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,wCAAwC;AACxC,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,oCAAoC;AACpC,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,2FAA2F;IAC3F,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,gFAAgF;IAChF,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,qDAAqD;IACrD,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,6FAA6F;AAC7F,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,gGAAgG;AAChG,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,GAAG,CAAC;IACT,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,YAAY,CAAA;KAAE,CAAC;CACnC;AAED,sFAAsF;AACtF,MAAM,WAAW,iBAAiB;IAChC,6FAA6F;IAC7F,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,YAAY,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACpD;AAgBD,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,GAAE,iBAAsB;wBAK1D,YAAY,KAAG,UAAU;yBAa1B,KAAK;sBAqBA,YAAY,KAAG,OAAO,CAAC,QAAQ,CAAC;0BAqB5B,YAAY,KAAG,OAAO,CAAC,KAAK,CAAC;sBAyCjC,YAAY,KAAG,OAAO,CAAC,QAAQ,CAAC;wBAgC9B,YAAY,KAAG,OAAO,CAAC,KAAK,CAAC;qBAtJ5C,YAAY,KAAK,OAAO,CAAC,MAAM,CAAC;EA+LnD"}
+{"version":3,"file":"content-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/content-routes.ts"],"names":[],"mappings":"AAQA,OAAO,EAAkB,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAG7E,OAAO,EAAuF,KAAK,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAE9I,OAAO,KAAK,EAAE,YAAY,EAAqB,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC7F,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAErD,wGAAwG;AACxG,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;CACf;AAED,gGAAgG;AAChG,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;IAC1C,QAAQ,EAAE,UAAU,EAAE,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,yGAAyG;IACzG,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,wCAAwC;AACxC,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,oCAAoC;AACpC,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,2FAA2F;IAC3F,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,gFAAgF;IAChF,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,qDAAqD;IACrD,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,6FAA6F;AAC7F,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,0GAA0G;IAC1G,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B;AAED,gGAAgG;AAChG,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,GAAG,CAAC;IACT,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,YAAY,CAAA;KAAE,CAAC;CACnC;AAED,sFAAsF;AACtF,MAAM,WAAW,iBAAiB;IAChC,6FAA6F;IAC7F,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,YAAY,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACpD;AAgBD,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,GAAE,iBAAsB;wBAK1D,YAAY,KAAG,UAAU;yBAa1B,KAAK;sBAqBA,YAAY,KAAG,OAAO,CAAC,QAAQ,CAAC;0BAqB5B,YAAY,KAAG,OAAO,CAAC,KAAK,CAAC;sBAyCjC,YAAY,KAAG,OAAO,CAAC,QAAQ,CAAC;wBA+C9B,YAAY,KAAG,OAAO,CAAC,KAAK,CAAC;qBArK5C,YAAY,KAAK,OAAO,CAAC,MAAM,CAAC;EA4NnD"}

package/dist/sveltekit/content-routes.js

@@ -7,8 +7,9 @@ import { findConcept } from '../content/concepts.js';
 import { frontmatterFromForm, parseMarkdown, dateInputValue, serializeMarkdown } from '../content/frontmatter.js';
 import { isValidId, slugify, filenameFromId, composeDatedId } from '../content/ids.js';
 import { appCredentials } from '../github/credentials.js';
-import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
-import { installationToken } from '../github/signing.js';
+import { listMarkdown, readRaw, commitFiles } from '../github/repo.js';
+import { cachedInstallationToken } from '../github/signing.js';
+import { emptyManifest, manifestEntryFromFile, parseManifest, serializeManifest, upsertEntry } from '../content/manifest.js';
 import { CommitConflictError } from '../github/types.js';
 /** The signed-in editor the guard resolved, or a login redirect. Kept local to decouple event shapes. */
 function sessionOf(event) {
@@ -25,7 +26,7 @@ function conceptOf(runtime, params) {
     return concept;
 }
 export function createContentRoutes(runtime, deps = {}) {
-    const mintToken = deps.mintToken ?? ((env) => installationToken(appCredentials(runtime.backend, env)));
+    const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
     /** Layout load for every admin page: the nav, the user, and the active path. */
     function layoutLoad(event) {
         const editor = sessionOf(event);
@@ -139,6 +140,18 @@ export function createContentRoutes(runtime, deps = {}) {
             throw error(404, 'Entry not found');
         const parsed = raw === null ? { frontmatter: {}, body: '' } : parseMarkdown(raw);
         const title = typeof parsed.frontmatter.title === 'string' && parsed.frontmatter.title.trim() ? parsed.frontmatter.title : id;
+        let linkTargets = [];
+        const manifestRaw = await readRaw(runtime.backend, runtime.manifestPath, token);
+        if (manifestRaw !== null) {
+            linkTargets = parseManifest(manifestRaw).entries.map((e) => ({
+                concept: e.concept,
+                id: e.id,
+                permalink: e.permalink,
+                title: e.title,
+                date: e.date,
+                draft: e.draft,
+            }));
+        }
         return {
             conceptId: concept.id,
             id,
@@ -150,6 +163,7 @@ export function createContentRoutes(runtime, deps = {}) {
             isNew,
             saved: event.url.searchParams.get('saved') === '1',
             error: event.url.searchParams.get('error'),
+            linkTargets,
         };
     }
     /** Match a commit conflict by class and by name (bundling can alias the class identity). */
@@ -177,8 +191,21 @@ export function createContentRoutes(runtime, deps = {}) {
         }
         const markdown = serializeMarkdown(result.data, body);
         const token = await mintToken(event.platform?.env ?? {});
+        // Read the committed manifest, upsert this entry's row, and commit content and manifest in one
+        // commit. A missing manifest starts empty (first save on a fresh repo). The build regenerates
+        // and verifies the manifest, so this incremental patch is the cheap request-time path. On a
+        // 422 retry commitFiles re-sends this manifest blob last-writer-wins. A concurrent save can then
+        // leave the committed manifest stale, which the next build rejects via verifyManifest; regenerate
+        // it with npm run cairn:manifest to recover.
+        const manifestRaw = await readRaw(runtime.backend, runtime.manifestPath, token);
+        const manifest = manifestRaw === null ? emptyManifest() : parseManifest(manifestRaw);
+        const row = manifestEntryFromFile(concept, { path, raw: markdown });
+        const nextManifest = serializeManifest(upsertEntry(manifest, row));
         try {
-            await commitFile(runtime.backend, path, markdown, { message: `Update ${concept.label.toLowerCase()}: ${id}`, author: { name: editor.displayName, email: editor.email } }, token);
+            await commitFiles(runtime.backend, [
+                { path, content: markdown },
+                { path: runtime.manifestPath, content: nextManifest },
+            ], { message: `Update ${concept.label.toLowerCase()}: ${id}`, author: { name: editor.displayName, email: editor.email } }, token);
         }
         catch (err) {
             if (isConflict(err)) {

package/dist/sveltekit/guard.d.ts

@@ -1,6 +1,6 @@
 import type { Editor } from '../auth/types.js';
 import type { HandleInput, RequestContext } from './types.js';
-/** The SvelteKit `Handle` that guards `/admin/**`. */
+/** The SvelteKit `Handle` that guards `/admin/**` and hardens admin responses. */
 export declare function createAuthGuard(): ({ event, resolve }: HandleInput) => Promise<Response>;
 /** For a protected load/action: the session the guard already resolved, or a login redirect. */
 export declare function requireSession(event: RequestContext): Editor;

package/dist/sveltekit/guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/guard.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAW9D,sDAAsD;AACtD,wBAAgB,eAAe,KACA,oBAAoB,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC,CAYjF;AAED,gGAAgG;AAChG,wBAAgB,cAAc,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI5D;AAED,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI1D"}
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/guard.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAwB9D,kFAAkF;AAClF,wBAAgB,eAAe,KACA,oBAAoB,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC,CAcjF;AAED,gGAAgG;AAChG,wBAAgB,cAAc,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI5D;AAED,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAI1D"}

package/dist/sveltekit/guard.js

@@ -3,7 +3,7 @@
 // stays free of a site's App.* ambient types.
 import { redirect, error } from '@sveltejs/kit';
 import { resolveSession } from '../auth/store.js';
-import { COOKIE_NAME } from '../auth/crypto.js';
+import { sessionCookieName } from '../auth/crypto.js';
 /** The login page and the auth endpoints are public; everything else under /admin is gated. */
 function isPublicAdminPath(pathname) {
     return pathname === '/admin/login' || pathname.startsWith('/admin/auth/');
@@ -11,20 +11,35 @@ function isPublicAdminPath(pathname) {
 function isAdminPath(pathname) {
     return pathname === '/admin' || pathname.startsWith('/admin/');
 }
-/** The SvelteKit `Handle` that guards `/admin/**`. */
+/**
+ * Attach the baseline security headers to an admin response. No full CSP; see the auth-hardening
+ * design. frame-ancestors is the modern clickjacking control and the one CSP directive included.
+ */
+function applySecurityHeaders(headers) {
+    headers.set('X-Content-Type-Options', 'nosniff');
+    headers.set('X-Frame-Options', 'DENY');
+    headers.set('Content-Security-Policy', "frame-ancestors 'none'");
+    headers.set('Referrer-Policy', 'no-referrer');
+    headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
+    headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+}
+/** The SvelteKit `Handle` that guards `/admin/**` and hardens admin responses. */
 export function createAuthGuard() {
     return async function handle({ event, resolve }) {
         const { pathname } = event.url;
-        if (!isAdminPath(pathname) || isPublicAdminPath(pathname)) {
+        if (!isAdminPath(pathname))
             return resolve(event);
+        if (!isPublicAdminPath(pathname)) {
+            const env = event.platform?.env ?? {};
+            const id = event.cookies.get(sessionCookieName(event.url.protocol === 'https:'));
+            const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
+            if (!editor)
+                throw redirect(303, '/admin/login');
+            event.locals.editor = editor;
         }
-        const env = event.platform?.env ?? {};
-        const id = event.cookies.get(COOKIE_NAME);
-        const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
-        if (!editor)
-            throw redirect(303, '/admin/login');
-        event.locals.editor = editor;
-        return resolve(event);
+        const response = await resolve(event);
+        applySecurityHeaders(response.headers);
+        return response;
     };
 }
 /** For a protected load/action: the session the guard already resolved, or a login redirect. */

package/dist/sveltekit/nav-routes.js

@@ -3,7 +3,7 @@
 // and commit paths are unit-testable against a fetch double with an injected token.
 import { redirect, error } from '@sveltejs/kit';
 import { appCredentials } from '../github/credentials.js';
-import { installationToken } from '../github/signing.js';
+import { cachedInstallationToken } from '../github/signing.js';
 import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
 import { CommitConflictError } from '../github/types.js';
 import { parseSiteConfig, extractMenu, validateNavTree, setMenu } from '../nav/site-config.js';
@@ -19,7 +19,7 @@ function isConflict(err) {
     return err instanceof CommitConflictError || err?.name === 'CommitConflictError';
 }
 export function createNavRoutes(runtime, deps = {}) {
-    const mintToken = deps.mintToken ?? ((env) => installationToken(appCredentials(runtime.backend, env)));
+    const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
     /** List page-like concepts (routable, not dated) for the URL picker. Best-effort per concept. */
     async function pageOptions(token) {
         const pageConcepts = runtime.concepts.filter((c) => c.routing.routable && !c.routing.dated);

package/dist/sveltekit/public-routes.d.ts

@@ -1,11 +1,13 @@
 import type { ContentSummary, ContentEntry } from '../delivery/content-index.js';
 import type { SiteIndex } from '../delivery/site-index.js';
 import type { SeoMeta } from '../delivery/seo.js';
+import type { LinkResolve } from '../content/links.js';
 /** Injected dependencies for the public loaders. */
 export interface PublicRoutesDeps {
     site: SiteIndex;
     render: (md: string, opts?: {
         stagger?: boolean;
+        resolve?: LinkResolve;
     }) => string | Promise<string>;
     origin: string;
     /** Site name for og:site_name and the SEO head. */

package/dist/sveltekit/public-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"public-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/public-routes.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAE3D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD,oDAAoD;AACpD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/E,MAAM,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,KAAK,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC;6EACyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,qEAAqE;AACrE,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,cAAc,EAAE,CAAC;CAC3B;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAQ,SAAQ,QAAQ;IACvC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,oDAAoD;AACpD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACxC;AAED,oFAAoF;AACpF,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,YAAY,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,OAAO,CAAC;IACb,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAED,2DAA2D;AAC3D,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,gBAAgB;uBAWvB;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,KAAG,OAAO,CAAC,SAAS,CAAC;6BA0BjC,MAAM,KAAG,QAAQ;8BAKhB,MAAM,KAAG,YAAY;yBAK1B,MAAM,SAAS;QAAE,MAAM,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,KAAG,OAAO;mBAO5D;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE;EAKvC"}
+{"version":3,"file":"public-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/public-routes.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAE3D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAGlD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,oDAAoD;AACpD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,WAAW,CAAA;KAAE,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACtG,MAAM,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,KAAK,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC;6EACyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,qEAAqE;AACrE,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,cAAc,EAAE,CAAC;CAC3B;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAQ,SAAQ,QAAQ;IACvC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,oDAAoD;AACpD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACxC;AAED,oFAAoF;AACpF,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,YAAY,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,OAAO,CAAC;IACb,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAED,2DAA2D;AAC3D,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,gBAAgB;uBAWvB;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,KAAG,OAAO,CAAC,SAAS,CAAC;6BA0BjC,MAAM,KAAG,QAAQ;8BAKhB,MAAM,KAAG,YAAY;yBAK1B,MAAM,SAAS;QAAE,MAAM,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,KAAG,OAAO;mBAO5D;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE;EAKvC"}

package/dist/sveltekit/public-routes.js

@@ -6,6 +6,7 @@
 import { error } from '@sveltejs/kit';
 import { buildSeoMeta } from '../delivery/seo.js';
 import { readSeoFields, resolveImageUrl } from '../delivery/seo-fields.js';
+import { buildLinkResolver } from '../delivery/manifest.js';
 /** Build the public loaders for a site's unified index. */
 export function createPublicRoutes(deps) {
     const { site, render, origin, siteName, description, feeds, defaultImage } = deps;
@@ -38,9 +39,9 @@ export function createPublicRoutes(deps) {
             ...(image ? { image } : {}),
             ...(fields.robots ? { robots: fields.robots } : {}),
             ...(fields.author ? { author: fields.author } : {}),
-            feeds,
+            ...(entry.date ? { feeds } : {}),
         });
-        return { entry, html: await render(entry.body, { stagger: true }), canonicalUrl, seo, newer, older };
+        return { entry, html: await render(entry.body, { stagger: true, resolve: buildLinkResolver(site) }), canonicalUrl, seo, newer, older };
     }
     /** The chronological archive for one concept: every non-draft summary, newest-first. */
     function archiveLoad(conceptId) {

package/dist/sveltekit/types.d.ts

@@ -22,6 +22,12 @@ export interface RequestContext {
     };
     platform?: {
         env?: AuthEnv;
+        ctx?: {
+            waitUntil(promise: Promise<unknown>): void;
+        };
+        context?: {
+            waitUntil(promise: Promise<unknown>): void;
+        };
     };
     setHeaders(headers: Record<string, string>): void;
 }

package/dist/sveltekit/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACtC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC/D,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACpD;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,GAAG,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,SAAS,CAAC;IACnB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAG7B,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;CAC9D"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACtC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC/D,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CACpD;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,GAAG,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,SAAS,CAAC;IACnB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QACT,GAAG,CAAC,EAAE,OAAO,CAAC;QACd,GAAG,CAAC,EAAE;YAAE,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAA;SAAE,CAAC;QACrD,OAAO,CAAC,EAAE;YAAE,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAA;SAAE,CAAC;KAC1D,CAAC;IAGF,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,cAAc,CAAC;IACtB,OAAO,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;CAC9D"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.14.0",
+  "version": "0.18.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "sideEffects": [
@@ -73,11 +73,12 @@
     "@types/hast": "^3.0.4",
     "@types/mdast": "^4.0.4",
     "codemirror": "^6.0.2",
-    "dompurify": "^3.4.7",
     "gray-matter": "^4",
+    "hast-util-sanitize": "^5.0.2",
     "hastscript": "^9.0.1",
     "mdast-util-directive": "^3.1.0",
     "rehype-raw": "^7.0.0",
+    "rehype-sanitize": "^6.0.0",
     "rehype-slug": "^6.0.0",
     "rehype-stringify": "^10.0.1",
     "remark-directive": "^4.0.0",

package/src/lib/auth/crypto.ts

@@ -2,8 +2,17 @@
 // code runs unchanged in workerd. The store keeps only the hash of a token, never the
 // token itself (spec 7.1).
 
-/** The session cookie name. */
-export const COOKIE_NAME = 'cairn_session';
+/** The base session cookie name, prefixed with __Host- when the cookie is Secure. */
+const COOKIE_BASE = 'cairn_session';
+
+/**
+ * The session cookie name. On https the cookie is Secure and takes the __Host- prefix, which
+ * binds it to the origin (the browser enforces Secure, Path=/, and no Domain). On local http
+ * dev the prefix is dropped, since __Host- requires Secure and the dev cookie cannot set it.
+ */
+export function sessionCookieName(secure: boolean): string {
+  return secure ? `__Host-${COOKIE_BASE}` : COOKIE_BASE;
+}
 
 /** Magic-link tokens live 10 minutes. */
 export const TOKEN_TTL_MS = 10 * 60 * 1000;
@@ -11,6 +20,9 @@ export const TOKEN_TTL_MS = 10 * 60 * 1000;
 /** Sessions live 30 days. */
 export const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000;
 
+/** A magic link is sent at most once per email per minute, to throttle inbox flooding. */
+export const SEND_COOLDOWN_MS = 60 * 1000;
+
 function randomBase64Url(byteLength = 32): string {
   const bytes = new Uint8Array(byteLength);
   crypto.getRandomValues(bytes);

package/src/lib/auth/store.ts

@@ -28,13 +28,23 @@ export async function issueToken(
   now: number,
 ): Promise<void> {
   await db.batch([
-    db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+    // Replace this email's prior token, and sweep any expired token while here (no cron needed).
+    db.prepare('DELETE FROM magic_token WHERE email = ? OR expires_at <= ?').bind(email, now),
     db
       .prepare('INSERT INTO magic_token (token_hash, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
       .bind(tokenHash, email, expiresAt, now),
   ]);
 }
 
+/** True when a magic-link token for this email was issued at or after `since`, for the send cooldown. */
+export async function recentlyIssued(db: D1Database, email: string, since: number): Promise<boolean> {
+  const row = await db
+    .prepare('SELECT 1 AS one FROM magic_token WHERE email = ? AND created_at >= ? LIMIT 1')
+    .bind(email, since)
+    .first<{ one: number }>();
+  return row != null;
+}
+
 /**
  * Consume a token in one atomic statement. A returned email means the token was present and
  * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.
@@ -55,10 +65,13 @@ export async function createSession(
   expiresAt: number,
   now: number,
 ): Promise<void> {
-  await db
-    .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
-    .bind(id, email, expiresAt, now)
-    .run();
+  await db.batch([
+    // Sweep expired sessions on login, so abandoned rows do not accumulate (no cron needed).
+    db.prepare('DELETE FROM session WHERE expires_at <= ?').bind(now),
+    db
+      .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
+      .bind(id, email, expiresAt, now),
+  ]);
 }
 
 /**

package/src/lib/components/EditPage.svelte

@@ -12,15 +12,16 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
   import type { IconSet } from '../render/glyph.js';
   import type { EditData } from '../sveltekit/content-routes.js';
   import type { TextareaField, TagsField, FreeTagsField } from '../content/types.js';
-  import { sanitizePreviewHtml } from '../render/sanitize.js';
+  import type { LinkResolve } from '../content/links.js';
+  import { manifestLinkResolver } from '../content/manifest.js';
 
   interface Props {
     /** The edit load's data, plus the site name for the heading. */
     data: EditData & { siteName: string };
     /** The site's component registry, for the insert palette. */
     registry?: ComponentRegistry;
-    /** The site's design-accurate render pipeline; the preview pane sanitizes its output. */
-    render?: (md: string, opts?: { stagger?: boolean }) => string | Promise<string>;
+    /** The site's design-accurate render pipeline; the preview pane renders its output, which the floored pipeline already sanitized. */
+    render?: (md: string, opts?: { stagger?: boolean; resolve?: LinkResolve }) => string | Promise<string>;
     /** The site's icon set, for the guided form's icon fields. */
     icons?: IconSet;
   }
@@ -34,6 +35,10 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
   let previewHtml = $state('');
   let insert = $state.raw<(text: string) => void>(() => {});
 
+  // The manifest-backed resolver turns a cairn: link into its live permalink in the preview, and
+  // returns undefined for a missing target so the render step marks it cairn-broken-link.
+  const resolveLink = $derived(manifestLinkResolver(data.linkTargets));
+
   const PREVIEW_KEY = 'cairn-admin:preview';
 
   $effect(() => {
@@ -46,20 +51,20 @@ markdown editor and a live, design-accurate preview. The whole surface is one fo
     localStorage.setItem(PREVIEW_KEY, showPreview ? '1' : '0');
   }
 
-  // Render the design-accurate preview as the body changes, debounced, and sanitize before the DOM.
-  // The sanitize is the one barrier between editor-authored markdown and the page (the editor is unsanitized).
+  // Render the design-accurate preview as the body changes, debounced. The site's render is the
+  // floored engine pipeline, so its output is already sanitized; the preview mirrors the page.
   // previewRun is a plain counter (not reactive state) used as a latest-wins guard: if a slow earlier
   // async render call resolves after a newer one has started, the stale result is discarded.
   let previewRun = 0;
   $effect(() => {
     if (!showPreview || !render) return;
     const md = body;
+    const resolve = resolveLink; // tracked read in the effect body
     const run = ++previewRun;
     const handle = setTimeout(async () => {
       try {
-        const html = await render(md);
-        const safe = await sanitizePreviewHtml(html);
-        if (run === previewRun) previewHtml = safe;
+        const html = await render(md, { resolve });
+        if (run === previewRun) previewHtml = html;
       } catch {
         if (run === previewRun) previewHtml = '';
       }

package/src/lib/content/compose.ts

@@ -31,6 +31,7 @@ export function composeRuntime(
     backend: adapter.backend,
     sender: adapter.sender,
     render: adapter.render,
+    manifestPath: adapter.manifestPath ?? 'src/content/.cairn/index.json',
     registry: adapter.registry,
     icons: adapter.icons,
     navMenu: adapter.navMenu,

package/src/lib/content/links.ts

@@ -0,0 +1,48 @@
+// cairn-cms: the cairn: internal-link token. An internal link is a standard CommonMark link
+// whose href is `cairn:<concept>/<id>`, keyed to the target's permanent filename stem so it
+// survives a slug, date, or permalink change (content-graph design). This module owns the
+// grammar; the render resolver (resolve-links.ts) reuses parseCairnToken.
+import { unified } from 'unified';
+import remarkParse from 'remark-parse';
+import remarkGfm from 'remark-gfm';
+import { visit } from 'unist-util-visit';
+import { isValidId } from './ids.js';
+
+/** A resolved reference to a content entry by its concept and permanent id. */
+export interface CairnRef {
+  concept: string;
+  id: string;
+}
+
+/** Resolve a reference to its live permalink. Returns undefined when the target is missing (the
+ *  preview marks it); the build resolver throws instead, so a dangling token fails the build. */
+export type LinkResolve = (ref: CairnRef) => string | undefined;
+
+/** Parse a `cairn:<concept>/<id>` href, or null for any other href or a malformed token. */
+export function parseCairnToken(href: string): CairnRef | null {
+  if (!href.startsWith('cairn:')) return null;
+  const rest = href.slice('cairn:'.length);
+  const slash = rest.indexOf('/');
+  if (slash <= 0) return null;
+  const concept = rest.slice(0, slash);
+  const id = rest.slice(slash + 1);
+  if (!concept || !isValidId(id)) return null;
+  return { concept, id };
+}
+
+/** The cairn links a markdown body points at, in first-occurrence order, deduped by concept/id.
+ *  Parses the body as mdast, so a token inside a code span or fence is never matched. */
+export function extractCairnLinks(body: string): CairnRef[] {
+  const tree = unified().use(remarkParse).use(remarkGfm).parse(body);
+  const seen = new Set<string>();
+  const refs: CairnRef[] = [];
+  visit(tree, 'link', (node: { url?: string }) => {
+    const ref = node.url ? parseCairnToken(node.url) : null;
+    if (!ref) return;
+    const key = `${ref.concept}/${ref.id}`;
+    if (seen.has(key)) return;
+    seen.add(key);
+    refs.push(ref);
+  });
+  return refs;
+}