@glw907/cairn-cms 0.18.0 → 0.24.0

package/src/lib/render/pipeline.ts

@@ -30,6 +30,10 @@ export interface RendererOptions {
    *  vector the floor closes, so it is only for a site whose content is fully developer-controlled.
    *  It is a code-level adapter decision, never an editor-facing setting. */
   unsafeDisableSanitize?: boolean;
+  /** The `rel` value forced on every `target="_blank"` anchor, applied last so it also covers
+   *  component-built anchors. Defaults to `'noopener noreferrer'`. Set a different string to change
+   *  it, or `false` to disable the injection (a site that owns its own anchor hardening). */
+  anchorRel?: string | false;
 }
 
 /** Compose a site's render pipeline from its component registry: directive syntax to
@@ -43,13 +47,14 @@ export function createRenderer(registry: ComponentRegistry, options: RendererOpt
   const floor: PluggableList = options.unsafeDisableSanitize
     ? []
     : [[rehypeSanitize, buildSanitizeSchema(registry, options.sanitizeSchema)]];
+  const rel = options.anchorRel ?? 'noopener noreferrer';
   const rehypePlugins: PluggableList = [
     rehypeRaw,
     ...floor,
     [rehypeDispatch, registry, options.stagger],
     rehypeSlug,
-    rehypeAnchorRel,
   ];
+  if (rel !== false) rehypePlugins.push([rehypeAnchorRel, rel]);
   const processor = unified()
     .use(remarkParse)
     .use(remarkGfm)

package/src/lib/render/registry.ts

@@ -19,7 +19,7 @@ export interface AttributeField {
   /** Initial value; a string for text/select/icon, a boolean for boolean. */
   default?: string | boolean;
   /** Allowed values for `type: 'select'`. */
-  options?: string[];
+  options?: readonly string[];
   /** Helper text shown under the field. */
   help?: string;
 }

package/src/lib/render/rehype-dispatch.ts

@@ -7,7 +7,7 @@ export function isElement(node: ElementContent | undefined): node is Element {
 }
 
 // hast Properties values are PropertyValue (string | number | boolean | array | null).
-// Directive markers (dataIcon/dataRole/dataPrimitive) are always stamped as strings;
+// Directive markers (dataPrimitive/dataRole/dataAttr<Key>) are always stamped as strings;
 // this reads them back with that guarantee instead of casting at each call site.
 export function strProp(node: Element, name: string): string | undefined {
   const value = node.properties?.[name];
@@ -28,6 +28,17 @@ export function cardShell(classes: string[], body: ElementContent[]): Element {
   return h('section', { className: classes }, [h('div', { className: ['card-body'] }, body)]);
 }
 
+/** Card head row: `<div class="ec-head">[icon]<h2 class="card-title">{title}</h2></div>`.
+ *  Pass the title's inline children and an optional pre-built icon element, the way `cardShell`
+ *  takes already-built body content. This factors the icon-plus-heading head that a titled
+ *  component build would otherwise rebuild by hand (the shape the removed `splitHead` produced). */
+export function headRow(title: ElementContent[], icon?: Element): Element {
+  const children: ElementContent[] = [];
+  if (icon) children.push(icon);
+  children.push(h('h2', { className: ['card-title'] }, title));
+  return h('div', { className: ['ec-head'] }, children);
+}
+
 /** Tag the first <ul> among children with `ec-grid` and strip its whitespace-only
  *  text nodes so the bare list serializes without newlines. Returns that <ul>. */
 export function markFirstList(children: ElementContent[]): Element | undefined {

package/src/lib/render/remark-directives.ts

@@ -59,17 +59,22 @@ export function remarkDirectiveStamp(registry: ComponentRegistry) {
       const def = registry.get(node.name);
       const attrs = node.attributes ?? {};
       const role = attrs.role || undefined;
-      let icon = attrs.icon || undefined;
+      const iconField = def?.attributes?.find((field) => field.type === 'icon');
+      const iconKey = iconField?.key ?? 'icon';
+      let icon = attrs[iconKey] || undefined;
       if (!icon && role) icon = registry.defaultIcon(node.name, role);
 
       const properties: Record<string, string> = { dataPrimitive: node.name };
-      if (icon) properties.dataIcon = icon;
       if (role) properties.dataRole = role;
       // Carry every declared attribute to hast so the dispatch partitioner can build the
-      // component context. data-attr-<key> survives to the element; build() consumes it and
-      // returns a fresh element, so the marker never reaches the published DOM.
+      // component context. The icon attribute uses the already-resolved `icon` (the author value
+      // coerced through the same empty-is-absent rule above, or the defaultIconByRole default), so
+      // a role default reaches the build through the one declared path and a blank `icon=` falls
+      // back to that default the same way a missing one does. data-attr-<key> survives to the
+      // element; build() consumes it and returns a fresh element, so the marker never reaches the
+      // published DOM.
       for (const field of def?.attributes ?? []) {
-        const raw = attrs[field.key];
+        const raw = field === iconField ? icon : attrs[field.key];
         if (raw != null) properties[dataAttrProp(field.key)] = raw;
       }
 
@@ -91,6 +96,12 @@ export function remarkDirectiveStamp(registry: ComponentRegistry) {
           markSlot(child, (child as { name: string }).name);
         }
       }
+
+      // A directive [label] that the component has no `title` slot to claim would otherwise fall
+      // through as body content and render as a stray paragraph. Drop it.
+      if (!slotNames.has('title')) {
+        node.children = node.children.filter((child) => !isDirectiveLabel(child)) as typeof node.children;
+      }
     });
 
     visit(tree, ['textDirective', 'leafDirective'], (node, index, parent) => {

package/src/lib/render/sanitize-schema.ts

@@ -5,7 +5,7 @@ import { dataAttrProp, type ComponentRegistry } from './registry.js';
 
 // The fixed directive markers the stamp writes and the dispatch reads. They are inert data
 // attributes, never a script vector, and must survive the floor so the dispatch still runs.
-const FIXED_MARKERS = ['dataPrimitive', 'dataSlot', 'dataIcon', 'dataRole', 'dataRise'];
+const FIXED_MARKERS = ['dataPrimitive', 'dataSlot', 'dataRole', 'dataRise'];
 
 /**
  * Build the delivery sanitize schema. Starts from hast-util-sanitize's defaultSchema, the
@@ -51,15 +51,16 @@ export function buildSanitizeSchema(
 }
 
 /**
- * Force rel="noopener noreferrer" on every target="_blank" anchor, to prevent reverse-tabnabbing.
+ * Force a `rel` value on every target="_blank" anchor, to prevent reverse-tabnabbing.
  * hast-util-sanitize runs no per-node hook, so this small transform carries the behavior the old
- * DOMPurify preview pass enforced, now on the delivered output as well.
+ * DOMPurify preview pass enforced, now on the delivered output as well. The value is the renderer's
+ * `anchorRel` option (default `noopener noreferrer`); a site can override it or disable it entirely.
  */
-export function rehypeAnchorRel() {
+export function rehypeAnchorRel(rel: string) {
   return (tree: Root) => {
     visit(tree, 'element', (node: Element) => {
       if (node.tagName === 'a' && node.properties?.target === '_blank') {
-        node.properties.rel = 'noopener noreferrer';
+        node.properties.rel = rel;
       }
     });
   };

package/src/lib/sveltekit/content-routes.ts

@@ -2,14 +2,16 @@
 // A factory closes over the composed runtime and the GitHub token mint, so the read and
 // commit paths are unit-testable against a fetch double with an injected token, mirroring the
 // email `send` injection in auth-routes. A shim stays one line: `export const load = routes.editLoad`.
-import { redirect, error } from '@sveltejs/kit';
+import { redirect, error, fail } from '@sveltejs/kit';
 import { findConcept } from '../content/concepts.js';
+import { extractCairnLinks, formatCairnToken } from '../content/links.js';
 import { frontmatterFromForm, parseMarkdown, dateInputValue, serializeMarkdown } from '../content/frontmatter.js';
-import { isValidId, slugify, filenameFromId, composeDatedId } from '../content/ids.js';
+import { isValidId, slugify, filenameFromId, composeDatedId, slugFromId, renameId } from '../content/ids.js';
+import { rewriteCairnLink } from '../components/markdown-format.js';
 import { appCredentials, type GithubKeyEnv } from '../github/credentials.js';
-import { listMarkdown, readRaw, commitFiles } from '../github/repo.js';
+import { listMarkdown, readRaw, commitFiles, type FileChange } from '../github/repo.js';
 import { cachedInstallationToken } from '../github/signing.js';
-import { emptyManifest, manifestEntryFromFile, parseManifest, serializeManifest, upsertEntry, type LinkTarget } from '../content/manifest.js';
+import { emptyManifest, manifestEntryFromFile, parseManifest, serializeManifest, upsertEntry, removeEntry, inboundLinks, type LinkTarget, type InboundLink } from '../content/manifest.js';
 import { CommitConflictError } from '../github/types.js';
 import type { CairnRuntime, ConceptDescriptor, FrontmatterField } from '../content/types.js';
 import type { Editor, Role } from '../auth/types.js';
@@ -63,9 +65,15 @@ export interface EditData {
   title: string;
   isNew: boolean;
   saved: boolean;
+  /** True after a successful rename redirect (`?renamed=1`), to confirm the new URL to the author. */
+  renamed: boolean;
   error: string | null;
+  /** The current URL slug (the date-stripped id for a dated concept), for the rename dialog prefill. */
+  slug: string;
   /** The site's link targets, for the preview resolver and the link picker; from the committed manifest. */
   linkTargets: LinkTarget[];
+  /** The entries that link to this one, for the delete guard. Empty when nothing links here. */
+  inboundLinks: InboundLink[];
 }
 
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
@@ -205,16 +213,22 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     if (!isValidId(id)) throw error(400, 'Invalid entry id');
     const isNew = event.url.searchParams.get('new') === '1';
     const token = await mintToken(event.platform?.env ?? {});
-    const raw = await readRaw(runtime.backend, `${concept.dir}/${filenameFromId(id)}`, token);
+    const datePrefix = concept.routing.dated ? concept.datePrefix : null;
+    // The entry file and the manifest are independent reads sharing the token; fetch them together.
+    const [raw, manifestRaw] = await Promise.all([
+      readRaw(runtime.backend, `${concept.dir}/${filenameFromId(id)}`, token),
+      readRaw(runtime.backend, runtime.manifestPath, token),
+    ]);
     if (raw === null && !isNew) throw error(404, 'Entry not found');
 
     const parsed = raw === null ? { frontmatter: {}, body: '' } : parseMarkdown(raw);
     const title = typeof parsed.frontmatter.title === 'string' && parsed.frontmatter.title.trim() ? parsed.frontmatter.title : id;
 
     let linkTargets: LinkTarget[] = [];
-    const manifestRaw = await readRaw(runtime.backend, runtime.manifestPath, token);
+    let inbound: InboundLink[] = [];
     if (manifestRaw !== null) {
-      linkTargets = parseManifest(manifestRaw).entries.map((e) => ({
+      const manifest = parseManifest(manifestRaw);
+      linkTargets = manifest.entries.map((e) => ({
         concept: e.concept,
         id: e.id,
         permalink: e.permalink,
@@ -222,6 +236,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
         date: e.date,
         draft: e.draft,
       }));
+      inbound = inboundLinks(manifest, concept.id, id);
     }
 
     return {
@@ -234,8 +249,11 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       title,
       isNew,
       saved: event.url.searchParams.get('saved') === '1',
+      renamed: event.url.searchParams.get('renamed') === '1',
       error: event.url.searchParams.get('error'),
+      slug: slugFromId(id, datePrefix),
       linkTargets,
+      inboundLinks: inbound,
     };
   }
 
@@ -245,7 +263,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
   }
 
   /** Save an edit: validate, then commit with the session editor as author. Fails safe on 409. */
-  async function saveAction(event: ContentEvent): Promise<never> {
+  async function saveAction(event: ContentEvent): Promise<ReturnType<typeof fail> | never> {
     const editor = sessionOf(event);
     const concept = conceptOf(runtime, event.params);
     const id = event.params.id ?? '';
@@ -277,7 +295,27 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     const manifestRaw = await readRaw(runtime.backend, runtime.manifestPath, token);
     const manifest = manifestRaw === null ? emptyManifest() : parseManifest(manifestRaw);
     const row = manifestEntryFromFile(concept, { path, raw: markdown });
-    const nextManifest = serializeManifest(upsertEntry(manifest, row));
+    const upserted = upsertEntry(manifest, row);
+    const nextManifest = serializeManifest(upserted);
+
+    // Save guard: resolve the body's cairn links against the manifest with this entry upserted, so a
+    // self-link and a link to any existing target resolves. A link to an absent target hard-blocks
+    // the save (it would red the deploy build and the author would not see it); a link to a draft
+    // target commits with a warning, since it is valid and resolves once the target is published.
+    const byKey = new Map(upserted.entries.map((e) => [`${e.concept}/${e.id}`, e]));
+    const absent: string[] = [];
+    const draft: string[] = [];
+    for (const ref of extractCairnLinks(body)) {
+      // A self-link is valid by construction (the upserted manifest holds this very entry), so
+      // skip it before classifying. Mirrors inboundLinks's self-exclusion.
+      if (ref.concept === concept.id && ref.id === id) continue;
+      const target = byKey.get(`${ref.concept}/${ref.id}`);
+      if (!target) absent.push(formatCairnToken(ref));
+      else if (target.draft) draft.push(formatCairnToken(ref));
+    }
+    if (absent.length) {
+      return fail(400, { brokenLinks: absent, body });
+    }
 
     try {
       await commitFiles(
@@ -296,8 +334,137 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       }
       throw err;
     }
-    throw redirect(303, `/admin/${concept.id}/${id}?saved=1`);
+    const savedQuery = draft.length ? `saved=1&drafts=${encodeURIComponent(draft.join(','))}` : 'saved=1';
+    throw redirect(303, `/admin/${concept.id}/${id}?${savedQuery}`);
+  }
+
+  /** Delete an entry. Block-until-clean: refuse while inbound links exist (naming them), else commit
+   *  the file removal and the manifest patch in one commit. The inbound recheck here is the
+   *  authoritative gate, closing the load-to-delete race. */
+  async function deleteAction(event: ContentEvent): Promise<ReturnType<typeof fail> | never> {
+    const editor = sessionOf(event);
+    const concept = conceptOf(runtime, event.params);
+    const id = event.params.id ?? '';
+    if (!isValidId(id)) throw error(400, 'Invalid entry id');
+    const path = `${concept.dir}/${filenameFromId(id)}`;
+    const token = await mintToken(event.platform?.env ?? {});
+
+    // An absent manifest degrades the inbound gate to "allow": with no manifest there is nothing to
+    // check, and the build's cairn: backstop still catches any dangling token, mirroring saveAction.
+    const manifestRaw = await readRaw(runtime.backend, runtime.manifestPath, token);
+    const manifest = manifestRaw === null ? emptyManifest() : parseManifest(manifestRaw);
+    const inbound = inboundLinks(manifest, concept.id, id);
+    if (inbound.length) {
+      return fail(409, { inboundLinks: inbound });
+    }
+
+    const nextManifest = serializeManifest(removeEntry(manifest, concept.id, id));
+    try {
+      await commitFiles(
+        runtime.backend,
+        [
+          { path, content: null },
+          { path: runtime.manifestPath, content: nextManifest },
+        ],
+        { message: `Delete ${concept.label.toLowerCase()}: ${id}`, author: { name: editor.displayName, email: editor.email } },
+        token,
+      );
+    } catch (err) {
+      if (isConflict(err)) {
+        const message = 'This file changed since you opened it. Reload and try again.';
+        throw redirect(303, `/admin/${concept.id}/${id}?error=${encodeURIComponent(message)}`);
+      }
+      throw err;
+    }
+    throw redirect(303, `/admin/${concept.id}`);
+  }
+
+  /** Rename an entry: change its slug, move the file, and rewrite every inbound cairn token in one
+   *  atomic commit, so no internal link breaks. The collision check and the inbound recompute here
+   *  are the authoritative gate. The same last-writer-wins manifest race as save and delete applies,
+   *  caught by the build's fail-closed backstop. */
+  async function renameAction(event: ContentEvent): Promise<ReturnType<typeof fail> | never> {
+    const editor = sessionOf(event);
+    const concept = conceptOf(runtime, event.params);
+    const id = event.params.id ?? '';
+    if (!isValidId(id)) throw error(400, 'Invalid entry id');
+
+    const form = await event.request.formData();
+    const newSlug = String(form.get('slug') ?? '').trim();
+    if (!isValidId(newSlug)) {
+      return fail(400, { renameError: 'Enter a valid slug: lowercase letters, numbers, and hyphens.' });
+    }
+    const datePrefix = concept.routing.dated ? concept.datePrefix : null;
+    if (concept.routing.dated && /^\d{4}-/.test(newSlug)) {
+      return fail(400, { renameError: 'Leave the date out of the slug.' });
+    }
+    if (newSlug === slugFromId(id, datePrefix)) {
+      return fail(400, { renameError: 'That is already the slug.' });
+    }
+    const newId = renameId(id, newSlug, datePrefix);
+    const oldPath = `${concept.dir}/${filenameFromId(id)}`;
+    const newPath = `${concept.dir}/${filenameFromId(newId)}`;
+    const token = await mintToken(event.platform?.env ?? {});
+
+    // Collision guard: refuse if a file already exists at the new path. This 409 covers two cases a
+    // single readRaw cannot tell apart: a static collision with an existing entry, and a
+    // concurrent-rename race where another editor renamed onto this path between load and submit.
+    const clobber = await readRaw(runtime.backend, newPath, token);
+    if (clobber !== null) {
+      return fail(409, { renameError: 'An entry with that slug already exists.' });
+    }
+
+    const [entryRaw, manifestRaw] = await Promise.all([
+      readRaw(runtime.backend, oldPath, token),
+      readRaw(runtime.backend, runtime.manifestPath, token),
+    ]);
+    if (entryRaw === null) throw error(404, 'Entry not found');
+    const manifest = manifestRaw === null ? emptyManifest() : parseManifest(manifestRaw);
+
+    const oldHref = formatCairnToken({ concept: concept.id, id });
+    const newHref = formatCairnToken({ concept: concept.id, id: newId });
+
+    // The moved file keeps its content, except a self-token rewrite. Re-derive its manifest row from
+    // the new path so the row carries the new id and permalink by construction.
+    const movedRaw = rewriteCairnLink(entryRaw, oldHref, newHref);
+    const changes: FileChange[] = [
+      { path: oldPath, content: null },
+      { path: newPath, content: movedRaw },
+    ];
+    let next = removeEntry(manifest, concept.id, id);
+    next = upsertEntry(next, manifestEntryFromFile(concept, { path: newPath, raw: movedRaw }));
+
+    // Rewrite every inbound linker's body and re-derive its row, so its outbound edge points at the
+    // new id. A linker missing from the repo is skipped; the build backstop catches any drift.
+    for (const linker of inboundLinks(manifest, concept.id, id)) {
+      const linkerConcept = findConcept(runtime.concepts, linker.concept);
+      if (!linkerConcept) continue;
+      const linkerPath = `${linkerConcept.dir}/${filenameFromId(linker.id)}`;
+      const linkerRaw = await readRaw(runtime.backend, linkerPath, token);
+      if (linkerRaw === null) continue;
+      const rewritten = rewriteCairnLink(linkerRaw, oldHref, newHref);
+      changes.push({ path: linkerPath, content: rewritten });
+      next = upsertEntry(next, manifestEntryFromFile(linkerConcept, { path: linkerPath, raw: rewritten }));
+    }
+
+    changes.push({ path: runtime.manifestPath, content: serializeManifest(next) });
+
+    try {
+      await commitFiles(
+        runtime.backend,
+        changes,
+        { message: `Rename ${concept.label.toLowerCase()}: ${id} to ${newId}`, author: { name: editor.displayName, email: editor.email } },
+        token,
+      );
+    } catch (err) {
+      if (isConflict(err)) {
+        const message = 'This file changed since you opened it. Reload and try again.';
+        throw redirect(303, `/admin/${concept.id}/${id}?error=${encodeURIComponent(message)}`);
+      }
+      throw err;
+    }
+    throw redirect(303, `/admin/${concept.id}/${newId}?renamed=1`);
   }
 
-  return { layoutLoad, indexRedirect, listLoad, createAction, editLoad, saveAction, mintToken };
+  return { layoutLoad, indexRedirect, listLoad, createAction, editLoad, saveAction, deleteAction, renameAction, mintToken };
 }

package/src/lib/sveltekit/public-routes.ts

@@ -45,6 +45,7 @@ export interface TagIndexData {
 
 /** One entry's data: the detail entry, its rendered html, and its canonical URL. */
 export interface EntryData {
+  concept: string;
   entry: ContentEntry;
   html: string;
   canonicalUrl: string;
@@ -87,7 +88,7 @@ export function createPublicRoutes(deps: PublicRoutesDeps) {
       ...(fields.author ? { author: fields.author } : {}),
       ...(entry.date ? { feeds } : {}),
     });
-    return { entry, html: await render(entry.body, { stagger: true, resolve: buildLinkResolver(site) }), canonicalUrl, seo, newer, older };
+    return { concept: entry.concept, entry, html: await render(entry.body, { stagger: true, resolve: buildLinkResolver(site) }), canonicalUrl, seo, newer, older };
   }
 
   /** The chronological archive for one concept: every non-draft summary, newest-first. */