@glw907/cairn-cms 0.24.0 → 0.29.0

package/dist/index.js

@@ -12,7 +12,7 @@ export { isValidId, idFromFilename, filenameFromId, slugify, slugFromId, compose
 // builder and the request-time resolver ship from the delivery entry; this surface is the
 // grammar, the manifest operations, and their types a migrating site adopts.
 export { parseCairnToken, extractCairnLinks, formatCairnToken, escapeLinkText } from './content/links.js';
-export { serializeManifest, parseManifest, emptyManifest, verifyManifest, upsertEntry, removeEntry, manifestEntryFromFile, manifestLinkResolver, inboundLinks, } from './content/manifest.js';
+export { serializeManifest, parseManifest, emptyManifest, verifyManifest, diffManifests, upsertEntry, removeEntry, manifestEntryFromFile, manifestLinkResolver, inboundLinks, } from './content/manifest.js';
 // Render engine (Plan 04): generic directive pipeline; sites own the component registry.
 export { defineRegistry, emptyValues } from './render/registry.js';
 export { serializeComponent, parseComponent } from './render/component-grammar.js';
@@ -21,30 +21,8 @@ export { buildComponentInsert } from './render/component-insert.js';
 export { generateComponentReference } from './render/component-reference.js';
 export { glyph } from './render/glyph.js';
 export { remarkDirectiveStamp } from './render/remark-directives.js';
-export { rehypeDispatch, isElement, strProp, iconSpan, cardShell, headRow, markFirstList, } from './render/rehype-dispatch.js';
+export { rehypeDispatch, iconSpan, cardShell, headRow } from './render/rehype-dispatch.js';
 export { createRenderer } from './render/pipeline.js';
 export { CommitConflictError } from './github/types.js';
-export { appJwt, installationToken, signingSelfTest } from './github/signing.js';
-export { treeUrl, markdownFilesIn, listMarkdown, contentsUrl, readRaw, fileSha, commitFile, } from './github/repo.js';
-export { appCredentials } from './github/credentials.js';
 // Nav tree and site-config helpers (Plan 06).
 export { parseSiteConfig, urlPolicyFrom, extractMenu, setMenu, validateNavTree, MAX_NAV_NODES, NavValidationError, SiteConfigError, } from './nav/site-config.js';
-// Public content delivery (public-delivery design): the query index, syndication, and
-// discovery surface that sites read. Pure builders plus the one permalink resolver; the
-// SvelteKit loaders live under the /sveltekit subpath.
-export { permalink } from './content/permalink.js';
-export { createContentIndex, fromGlob } from './delivery/content-index.js';
-export { createSiteIndex } from './delivery/site-index.js';
-export { createSiteIndexes } from './delivery/site-indexes.js';
-export { deriveExcerpt, wordCount } from './delivery/excerpt.js';
-export { buildRssFeed, buildJsonFeed } from './delivery/feeds.js';
-export { buildSitemap } from './delivery/sitemap.js';
-export { buildRobots } from './delivery/robots.js';
-export { buildSeoMeta } from './delivery/seo.js';
-export { readSeoFields, resolveImageUrl } from './delivery/seo-fields.js';
-export { paginate } from './delivery/paginate.js';
-// Root superset of the delivery route surface: a wrong guess from root for a route loader or a
-// response helper now resolves. The CairnHead component stays out of root so the root barrel stays
-// node-importable for the unit suite; it resolves from @glw907/cairn-cms/delivery/head.
-export { rssResponse, jsonFeedResponse, sitemapResponse, robotsResponse } from './delivery/responses.js';
-export { createPublicRoutes } from './sveltekit/public-routes.js';

package/dist/nav/site-config.d.ts

@@ -52,4 +52,3 @@ export declare function urlPolicyFrom(config: SiteConfig): Record<string, Concep
  * serializes without `url`/`children` keys.
  */
 export declare function setMenu(raw: string, name: string, tree: NavNode[]): string;
-//# sourceMappingURL=site-config.d.ts.map

package/dist/render/component-grammar.d.ts

@@ -14,4 +14,3 @@ export declare function parseComponentWithRawKeys(markdown: string, def: Compone
     values: ComponentValues;
     rawKeys: string[];
 }>;
-//# sourceMappingURL=component-grammar.d.ts.map

package/dist/render/component-insert.d.ts

@@ -11,4 +11,3 @@ export type ComponentInsert = {
 /** Serialize a component's form values, then validate the result against its schema. Returns the
  *  markdown to insert at the cursor, or the field errors keyed by attribute key or slot name. */
 export declare function buildComponentInsert(def: ComponentDef, values: ComponentValues): Promise<ComponentInsert>;
-//# sourceMappingURL=component-insert.d.ts.map

package/dist/render/component-reference.d.ts

@@ -8,4 +8,3 @@ export interface ReferenceOptions {
 /** Build a self-contained markdown reference (the llms-full.txt shape) for a component registry, for
  *  authors and for pointing an LLM at one curated file. */
 export declare function generateComponentReference(registry: ComponentRegistry, opts: ReferenceOptions): string;
-//# sourceMappingURL=component-reference.d.ts.map

package/dist/render/component-validate.d.ts

@@ -7,4 +7,3 @@ export type ComponentValidation = {
     errors: Record<string, string>;
 };
 export declare function validateComponent(markdown: string, def: ComponentDef): Promise<ComponentValidation>;
-//# sourceMappingURL=component-validate.d.ts.map

package/dist/render/glyph.d.ts

@@ -6,4 +6,3 @@ export type IconSet = Record<string, string>;
  *  a stray empty (or undefined) path. Callers always wrap the returned element, so the shell
  *  keeps them safe. */
 export declare function glyph(name: string, icons: IconSet): Element;
-//# sourceMappingURL=glyph.d.ts.map

package/dist/render/index.d.ts

@@ -3,4 +3,3 @@ export * from './glyph.js';
 export * from './remark-directives.js';
 export * from './rehype-dispatch.js';
 export * from './pipeline.js';
-//# sourceMappingURL=index.d.ts.map

package/dist/render/pipeline.d.ts

@@ -1,6 +1,6 @@
 import { type PluggableList } from 'unified';
 import type { Schema } from 'hast-util-sanitize';
-import type { ComponentRegistry } from './registry.js';
+import { type ComponentRegistry } from './registry.js';
 import type { LinkResolve } from '../content/links.js';
 export interface RendererOptions {
     /** Stamp a `data-rise` ordinal (0, 1, 2, …) on each top-level component so a site's
@@ -24,11 +24,10 @@ export interface RendererOptions {
 /** Compose a site's render pipeline from its component registry: directive syntax to
  *  stamped markers to registry-built hast. Returns `renderMarkdown` plus the remark/
  *  rehype plugin arrays (so the admin editor preview can reuse the exact same set). */
-export declare function createRenderer(registry: ComponentRegistry, options?: RendererOptions): {
+export declare function createRenderer(registry?: ComponentRegistry, options?: RendererOptions): {
     remarkPlugins: PluggableList;
     rehypePlugins: PluggableList;
     renderMarkdown: (content: string, opts?: {
         resolve?: LinkResolve;
     }) => Promise<string>;
 };
-//# sourceMappingURL=pipeline.d.ts.map

package/dist/render/pipeline.js

@@ -8,14 +8,15 @@ import rehypeSlug from 'rehype-slug';
 import rehypeStringify from 'rehype-stringify';
 import rehypeSanitize from 'rehype-sanitize';
 import { VFile } from 'vfile';
-import { buildSanitizeSchema, rehypeAnchorRel } from './sanitize-schema.js';
+import { buildSanitizeSchema, rehypeAnchorRel, rehypeSinkGuard } from './sanitize-schema.js';
 import { remarkDirectiveStamp } from './remark-directives.js';
 import { remarkResolveCairnLinks, CAIRN_RESOLVE } from './resolve-links.js';
 import { rehypeDispatch } from './rehype-dispatch.js';
+import { defineRegistry } from './registry.js';
 /** Compose a site's render pipeline from its component registry: directive syntax to
  *  stamped markers to registry-built hast. Returns `renderMarkdown` plus the remark/
  *  rehype plugin arrays (so the admin editor preview can reuse the exact same set). */
-export function createRenderer(registry, options = {}) {
+export function createRenderer(registry = defineRegistry({ components: [] }), options = {}) {
     const remarkPlugins = [remarkDirective, [remarkDirectiveStamp, registry], remarkResolveCairnLinks];
     // The sanitize floor runs after rehype-raw (so author raw HTML is parsed, then cleaned) and
     // before the dispatch (so the site's trusted build() output and its inline SVG icons are never
@@ -32,6 +33,10 @@ export function createRenderer(registry, options = {}) {
     ];
     if (rel !== false)
         rehypePlugins.push([rehypeAnchorRel, rel]);
+    // The sink guard runs last, over the fully-built tree, so it neutralizes a sink a component
+    // build() emitted after the floor. Gated by the same switch as the floor.
+    if (!options.unsafeDisableSanitize)
+        rehypePlugins.push(rehypeSinkGuard);
     const processor = unified()
         .use(remarkParse)
         .use(remarkGfm)

package/dist/render/registry.d.ts

@@ -91,4 +91,3 @@ export interface ComponentValues {
 /** Seed an empty {@link ComponentValues} from a component's schema: attribute defaults (or '' / false)
  *  and empty slot values ([] for repeatable, '' otherwise). */
 export declare function emptyValues(def: ComponentDef): ComponentValues;
-//# sourceMappingURL=registry.d.ts.map

package/dist/render/rehype-dispatch.d.ts

@@ -23,4 +23,3 @@ export declare function markFirstList(children: ElementContent[]): Element | und
  *  `data-rise` while dropping `style`. Nested primitives never get it. Non-primitive
  *  content (lede, intro paragraphs, the page-toc nav) passes through untouched. */
 export declare function rehypeDispatch(registry: ComponentRegistry, stagger?: boolean): (tree: Root) => void;
-//# sourceMappingURL=rehype-dispatch.d.ts.map

package/dist/render/remark-directives.d.ts

@@ -1,4 +1,3 @@
 import type { Root } from 'mdast';
 import { type ComponentRegistry } from './registry.js';
 export declare function remarkDirectiveStamp(registry: ComponentRegistry): (tree: Root) => void;
-//# sourceMappingURL=remark-directives.d.ts.map

package/dist/render/resolve-links.d.ts

@@ -5,4 +5,3 @@ export declare const CAIRN_RESOLVE = "cairnResolve";
  *  pass through. A missing target is marked with the cairn-broken-link class (the resolver returns
  *  undefined) or, when the resolver throws, the error propagates and fails the build. */
 export declare function remarkResolveCairnLinks(): (tree: unknown, file: VFile) => void;
-//# sourceMappingURL=resolve-links.d.ts.map

package/dist/render/sanitize-schema.d.ts

@@ -18,4 +18,17 @@ export declare function buildSanitizeSchema(registry: ComponentRegistry, extend?
  * `anchorRel` option (default `noopener noreferrer`); a site can override it or disable it entirely.
  */
 export declare function rehypeAnchorRel(rel: string): (tree: Root) => void;
-//# sourceMappingURL=sanitize-schema.d.ts.map
+/**
+ * Post-dispatch safety floor over the fully-built tree. The pre-dispatch rehype-sanitize floor
+ * cleans author content, but a component build() runs after it and can route a raw author
+ * attribute value into a sink. This guard runs last and neutralizes those sinks on every element
+ * no matter which plugin or which build() produced it: an unsafe URL scheme in a URL-bearing
+ * attribute, an inline on* event handler, or an inline style (stripped wholesale, matching the
+ * floor and cairn's class-driven styling). It is gated by the same unsafeDisableSanitize switch as
+ * the floor.
+ *
+ * The guard's boundary is the URL scheme check plus the on* and style strip. It does not remove a
+ * build()-emitted raw script, style, or iframe srcdoc element node. A build() that emits those is
+ * running site-developer code, and author markdown is cleaned by the pre-dispatch floor.
+ */
+export declare function rehypeSinkGuard(): (tree: Root) => void;

package/dist/render/sanitize-schema.js

@@ -56,3 +56,99 @@ export function rehypeAnchorRel(rel) {
         });
     };
 }
+// URL-bearing hast properties the post-dispatch guard scheme-checks. hast camelCases attribute
+// names through property-information (srcset -> srcSet, xlink:href -> xLinkHref with a capital L,
+// formaction -> formAction). data is the <object data> URL attribute; data-* attributes camelCase
+// to dataFoo and are not matched here.
+const URL_PROPS = new Set([
+    'href',
+    'src',
+    'srcSet',
+    'xLinkHref',
+    'poster',
+    'formAction',
+    'action',
+    'data',
+    'background',
+]);
+// The safe URL schemes: the union of every protocol list in defaultSchema, plus cairn. The
+// floor admits these and strips the rest, so deriving from the same source keeps the floor and
+// this guard from drifting on what a safe scheme is. javascript:/data:/vbscript: are never in
+// defaultSchema, so they are never safe.
+const SAFE_SCHEMES = (() => {
+    const protocols = defaultSchema.protocols ?? {};
+    const schemes = new Set(['cairn']);
+    for (const list of Object.values(protocols)) {
+        for (const scheme of list ?? [])
+            schemes.add(String(scheme).toLowerCase());
+    }
+    return schemes;
+})();
+// Read a URL value's scheme for the safety check, defeating the whitespace and control-character
+// tricks a browser ignores inside a scheme (java\tscript:, a leading space). A value with no
+// scheme (relative, anchor, query) returns undefined and is always safe.
+function urlScheme(value) {
+    const cleaned = value.replace(/[\x00-\x20]+/g, '');
+    const match = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);
+    return match ? match[1].toLowerCase() : undefined;
+}
+function isSafeUrl(value) {
+    const scheme = urlScheme(value);
+    return scheme === undefined || SAFE_SCHEMES.has(scheme);
+}
+// srcset is "url descriptor, url descriptor, …". hast may store it as a string or, because
+// property-information marks it comma-separated, as a string array. One unsafe candidate makes
+// the whole attribute unsafe.
+function isSafeSrcset(value) {
+    const candidates = Array.isArray(value)
+        ? value.map(String)
+        : typeof value === 'string'
+            ? value.split(',')
+            : [];
+    return candidates.every((candidate) => {
+        const url = candidate.trim().split(/\s+/)[0];
+        return url === '' || isSafeUrl(url);
+    });
+}
+// Decide whether one URL-bearing property value is safe to keep. srcset has its own
+// multi-candidate grammar. A non-string value carries no scheme to abuse, so the floor's own
+// handling stands and the guard leaves it alone.
+function isSafeUrlProp(key, value) {
+    if (key === 'srcSet')
+        return isSafeSrcset(value);
+    if (typeof value !== 'string')
+        return true;
+    return isSafeUrl(value);
+}
+/**
+ * Post-dispatch safety floor over the fully-built tree. The pre-dispatch rehype-sanitize floor
+ * cleans author content, but a component build() runs after it and can route a raw author
+ * attribute value into a sink. This guard runs last and neutralizes those sinks on every element
+ * no matter which plugin or which build() produced it: an unsafe URL scheme in a URL-bearing
+ * attribute, an inline on* event handler, or an inline style (stripped wholesale, matching the
+ * floor and cairn's class-driven styling). It is gated by the same unsafeDisableSanitize switch as
+ * the floor.
+ *
+ * The guard's boundary is the URL scheme check plus the on* and style strip. It does not remove a
+ * build()-emitted raw script, style, or iframe srcdoc element node. A build() that emits those is
+ * running site-developer code, and author markdown is cleaned by the pre-dispatch floor.
+ */
+export function rehypeSinkGuard() {
+    return (tree) => {
+        visit(tree, 'element', (node) => {
+            const props = node.properties;
+            if (!props)
+                return;
+            for (const key of Object.keys(props)) {
+                if (/^on/i.test(key) || key === 'style') {
+                    delete props[key];
+                    continue;
+                }
+                if (!URL_PROPS.has(key))
+                    continue;
+                if (!isSafeUrlProp(key, props[key]))
+                    delete props[key];
+            }
+        });
+    };
+}

package/dist/sveltekit/auth-routes.d.ts

@@ -20,4 +20,3 @@ export declare function createAuthRoutes(config: AuthRoutesConfig): {
     confirmAction: (event: RequestContext) => Promise<never>;
     logoutAction: (event: RequestContext) => Promise<never>;
 };
-//# sourceMappingURL=auth-routes.d.ts.map

package/dist/sveltekit/content-routes.d.ts

@@ -89,4 +89,3 @@ export declare function createContentRoutes(runtime: CairnRuntime, deps?: Conten
     renameAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     mintToken: (env: GithubKeyEnv) => Promise<string>;
 };
-//# sourceMappingURL=content-routes.d.ts.map

package/dist/sveltekit/editors-routes.d.ts

@@ -21,4 +21,3 @@ export declare function createEditorRoutes(): {
         ok: true;
     }>;
 };
-//# sourceMappingURL=editors-routes.d.ts.map

package/dist/sveltekit/guard.d.ts

@@ -6,4 +6,3 @@ export declare function createAuthGuard(): ({ event, resolve }: HandleInput) =>
 export declare function requireSession(event: RequestContext): Editor;
 /** For the management surface: a signed-in owner, or 403 for an editor. */
 export declare function requireOwner(event: RequestContext): Editor;
-//# sourceMappingURL=guard.d.ts.map

package/dist/sveltekit/health.d.ts

@@ -16,4 +16,3 @@ export declare function healthLoad(event: {
         env?: GithubKeyEnv;
     };
 }, runtime: CairnRuntime): Promise<HealthData>;
-//# sourceMappingURL=health.d.ts.map

package/dist/sveltekit/index.d.ts

@@ -7,6 +7,4 @@ export { createNavRoutes } from './nav-routes.js';
 export type { NavLoadData, NavPageOption, NavRoutesDeps } from './nav-routes.js';
 export { healthLoad, type HealthData } from './health.js';
 export type { RequestContext, CookieJar, HandleInput } from './types.js';
-export { createPublicRoutes } from './public-routes.js';
-export type { PublicRoutesDeps, ListData as PublicListData, TagData, TagIndexData, EntryData, } from './public-routes.js';
-//# sourceMappingURL=index.d.ts.map
+export type { GithubKeyEnv } from '../github/credentials.js';

package/dist/sveltekit/index.js

@@ -6,4 +6,3 @@ export { createEditorRoutes } from './editors-routes.js';
 export { createContentRoutes } from './content-routes.js';
 export { createNavRoutes } from './nav-routes.js';
 export { healthLoad } from './health.js';
-export { createPublicRoutes } from './public-routes.js';

package/dist/sveltekit/nav-routes.d.ts

@@ -27,4 +27,3 @@ export declare function createNavRoutes(runtime: CairnRuntime, deps?: NavRoutesD
     navLoad: (event: ContentEvent) => Promise<NavLoadData>;
     navSave: (event: ContentEvent) => Promise<never>;
 };
-//# sourceMappingURL=nav-routes.d.ts.map

package/dist/sveltekit/public-routes.d.ts

@@ -64,4 +64,3 @@ export declare function createPublicRoutes(deps: PublicRoutesDeps): {
         path: string;
     }[];
 };
-//# sourceMappingURL=public-routes.d.ts.map

package/dist/sveltekit/types.d.ts

@@ -35,4 +35,3 @@ export interface HandleInput {
     event: RequestContext;
     resolve(event: RequestContext): Promise<Response> | Response;
 }
-//# sourceMappingURL=types.d.ts.map

package/dist/vite/bin.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/vite/bin.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+// cairn-manifest: the regenerate command. It evaluates the cairnManifest virtual module in write mode
+// through the consumer's own Vite resolution and writes the canonical content manifest. A thin shell
+// over writeManifest so the write logic stays testable apart from the CLI.
+import { writeManifest } from './index.js';
+writeManifest(process.cwd()).catch((err) => {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+});

package/dist/vite/index.d.ts

@@ -0,0 +1,32 @@
+import type { Plugin, PluginOption } from 'vite';
+/** Options for {@link cairnManifest}. Paths are app-root-absolute (the form `import.meta.glob` wants),
+ *  so they match the build's own resolution. */
+export interface CairnManifestOptions {
+    /** The module exporting the `cairn` adapter and the parsed `siteConfig`, app-root-absolute. */
+    configModule: string;
+    /** Per-concept content globs, keyed by concept id, app-root-absolute. */
+    content: Record<string, string>;
+    /** The committed manifest path, app-root-absolute. Defaults to `/src/content/.cairn/index.json`. */
+    manifestPath?: string;
+}
+/** Flatten the consumer's plugins option and drop the cairnManifest plugin at any nesting depth, so
+ *  the nested verify server can never re-enter its buildStart. Vite supports (and flattens) nested
+ *  plugin arrays, and findCairnOptions recurses into them, so a flat single-level filter would miss a
+ *  cairnManifest nested inside a shared preset's sub-array and let it survive into the nested server.
+ *  This mirrors findCairnOptions's recursion. Falsy slots pass through, which Vite tolerates. */
+export declare function stripCairnManifest(plugins: PluginOption | PluginOption[]): PluginOption[];
+/** Verify the committed manifest against the corpus from a Vite context, throwing on drift. The bin
+ *  and the plugin share this; the spike proved it runs cleanly inside the consumer's config. */
+export declare function verifyManifestFromVite(opts: CairnManifestOptions, root: string): Promise<void>;
+/** Regenerate the serialized manifest from the corpus in a Vite context, sharing the build's
+ *  resolution. The cairn-manifest bin (a later task) will call this and write the result. */
+export declare function buildManifestFromVite(opts: CairnManifestOptions, root: string): Promise<string>;
+/** The cairnManifest plugin. It serves the verify virtual module to the app graph and, in
+ *  buildStart, evaluates it through a nested Vite SSR load so a manifest drift fails the build. */
+export declare function cairnManifest(opts: CairnManifestOptions): Plugin;
+/** Regenerate the committed manifest from the consumer's corpus and write it to the configured
+ *  manifestPath. It loads the consumer's Vite config from `cwd`, reads the cairnManifest plugin's
+ *  options off the instance, evaluates the write-mode virtual module through the build's own
+ *  resolution, and writes the serialized manifest. The cairn-manifest bin calls this; it is exported
+ *  so the write logic is testable apart from the CLI shell. */
+export declare function writeManifest(cwd?: string): Promise<void>;

package/dist/vite/index.js

@@ -0,0 +1,178 @@
+import { writeFile, mkdir } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+/** The key the cairnManifest plugin stashes its options under, so the write path can read them off the
+ *  plugin instance in the consumer's loaded config without re-parsing the config file. */
+const CAIRN_OPTIONS = Symbol.for('cairn-cms.manifest-options');
+const VIRTUAL_ID = 'virtual:cairn-manifest';
+const RESOLVED_ID = '\0' + VIRTUAL_ID;
+/** The default committed manifest path, app-root-absolute. */
+const DEFAULT_MANIFEST_PATH = '/src/content/.cairn/index.json';
+/** Build the virtual module source. In verify mode it throws on drift; in write mode it exports the
+ *  serialized manifest as `result`. The module runs in the app graph, so its `import.meta.glob`,
+ *  package, and `?raw` resolution is the build's own. */
+function virtualSource(opts, mode) {
+    const manifestPath = opts.manifestPath ?? DEFAULT_MANIFEST_PATH;
+    const globEntries = Object.entries(opts.content)
+        .map(([id, pattern]) => `  ${JSON.stringify(id)}: import.meta.glob(${JSON.stringify(pattern)}, { query: '?raw', import: 'default', eager: true }),`)
+        .join('\n');
+    // In write mode the committed file may not exist yet, so do not import it.
+    const committedImport = mode === 'verify' ? `import committed from ${JSON.stringify(manifestPath + '?raw')};` : '';
+    const resultExpr = mode === 'write' ? 'serializeManifest(built)' : '(verifyManifest(built, committed), "ok")';
+    return `
+import { buildSiteManifest } from '@glw907/cairn-cms/delivery/data';
+import { serializeManifest, verifyManifest } from '@glw907/cairn-cms';
+import { cairn, siteConfig } from ${JSON.stringify(opts.configModule)};
+${committedImport}
+const globs = {
+${globEntries}
+};
+const built = buildSiteManifest(cairn, siteConfig, globs);
+export const result = ${resultExpr};
+`;
+}
+/** Evaluate the virtual module in the given mode inside the consumer's own Vite resolution, then
+ *  return the module's `result`. It reuses the consumer's loaded config (so `$lib`, the config
+ *  module, `import.meta.glob`, and `?raw` resolve exactly as the build does) and strips the
+ *  cairnManifest plugin from the nested server's plugin list, so its buildStart never recurses.
+ *  This runs at build time and in the bin, never in the request lifecycle. */
+async function evalVirtual(opts, mode, root) {
+    const { createServer, loadConfigFromFile } = await import('vite');
+    // Load the consumer's real Vite config so the nested server inherits SvelteKit's resolution
+    // (the $lib alias, the app root, the ?raw and import.meta.glob handling). Drop cairnManifest from
+    // it so the nested server's buildStart does not recurse, and add a plugin that serves only the
+    // virtual module in the requested mode.
+    const loaded = await loadConfigFromFile({ command: 'build', mode: 'production' }, undefined, root);
+    const inlineConfig = loaded?.config ?? {};
+    const server = await createServer({
+        ...inlineConfig,
+        root,
+        configFile: false,
+        logLevel: 'silent',
+        server: { middlewareMode: true, hmr: false, watch: null },
+        plugins: [...stripCairnManifest(inlineConfig.plugins ?? []), cairnVirtualOnly(opts, mode)],
+    });
+    try {
+        const mod = (await server.ssrLoadModule(VIRTUAL_ID));
+        return mod.result;
+    }
+    finally {
+        await server.close();
+    }
+}
+/** True for any plugin object whose name is the cairnManifest plugin, so the nested server drops it
+ *  and cannot recurse into another buildStart. The consumer's plugin list may nest arrays and hold
+ *  falsy slots, so guard the shape. */
+function isCairnManifestPlugin(p) {
+    return !!p && typeof p === 'object' && 'name' in p && p.name === 'cairn-manifest';
+}
+/** Flatten the consumer's plugins option and drop the cairnManifest plugin at any nesting depth, so
+ *  the nested verify server can never re-enter its buildStart. Vite supports (and flattens) nested
+ *  plugin arrays, and findCairnOptions recurses into them, so a flat single-level filter would miss a
+ *  cairnManifest nested inside a shared preset's sub-array and let it survive into the nested server.
+ *  This mirrors findCairnOptions's recursion. Falsy slots pass through, which Vite tolerates. */
+export function stripCairnManifest(plugins) {
+    if (Array.isArray(plugins))
+        return plugins.flatMap(stripCairnManifest);
+    if (isCairnManifestPlugin(plugins))
+        return [];
+    return [plugins];
+}
+/** Verify the committed manifest against the corpus from a Vite context, throwing on drift. The bin
+ *  and the plugin share this; the spike proved it runs cleanly inside the consumer's config. */
+export async function verifyManifestFromVite(opts, root) {
+    await evalVirtual(opts, 'verify', root);
+}
+/** Regenerate the serialized manifest from the corpus in a Vite context, sharing the build's
+ *  resolution. The cairn-manifest bin (a later task) will call this and write the result. */
+export async function buildManifestFromVite(opts, root) {
+    return evalVirtual(opts, 'write', root);
+}
+/** The cairnManifest plugin. It serves the verify virtual module to the app graph and, in
+ *  buildStart, evaluates it through a nested Vite SSR load so a manifest drift fails the build. */
+export function cairnManifest(opts) {
+    let root = process.cwd();
+    const plugin = {
+        name: 'cairn-manifest',
+        configResolved(config) {
+            // Capture the resolved app root so the nested server loads the same config the build did.
+            root = config.root;
+        },
+        resolveId(id) {
+            if (id === VIRTUAL_ID)
+                return RESOLVED_ID;
+        },
+        load(id) {
+            if (id === RESOLVED_ID)
+                return virtualSource(opts, 'verify');
+        },
+        async buildStart() {
+            try {
+                await verifyManifestFromVite(opts, root);
+            }
+            catch (err) {
+                this.error(err instanceof Error ? err.message : String(err));
+            }
+        },
+    };
+    // Stash the options on the instance so the cairn-manifest bin's writeManifest can read the content
+    // globs, config module, and manifest path off the plugin in the consumer's loaded config, sharing
+    // exactly the options the build verifies with.
+    plugin[CAIRN_OPTIONS] = opts;
+    return plugin;
+}
+/** Regenerate the committed manifest from the consumer's corpus and write it to the configured
+ *  manifestPath. It loads the consumer's Vite config from `cwd`, reads the cairnManifest plugin's
+ *  options off the instance, evaluates the write-mode virtual module through the build's own
+ *  resolution, and writes the serialized manifest. The cairn-manifest bin calls this; it is exported
+ *  so the write logic is testable apart from the CLI shell. */
+export async function writeManifest(cwd = process.cwd()) {
+    const { loadConfigFromFile } = await import('vite');
+    const loaded = await loadConfigFromFile({ command: 'build', mode: 'production' }, undefined, cwd);
+    if (!loaded) {
+        throw new Error(`cairn-manifest: no Vite config found in ${cwd}`);
+    }
+    const opts = findCairnOptions(loaded.config.plugins);
+    if (!opts) {
+        throw new Error('cairn-manifest: the Vite config has no cairnManifest() plugin. Add it so the bin shares the build options.');
+    }
+    const serialized = await buildManifestFromVite(opts, cwd);
+    const manifestPath = opts.manifestPath ?? DEFAULT_MANIFEST_PATH;
+    // The manifest path is app-root-absolute (a leading slash relative to the project), so resolve it
+    // against cwd, not the filesystem root.
+    const outPath = join(cwd, manifestPath.replace(/^\//, ''));
+    await mkdir(dirname(outPath), { recursive: true });
+    await writeFile(outPath, serialized);
+}
+/** Walk a Vite plugins option (which may nest arrays, hold falsy slots, or be a thenable) and return
+ *  the stashed cairnManifest options from the first matching plugin, or null if there is none. */
+function findCairnOptions(plugins) {
+    if (!plugins)
+        return null;
+    if (Array.isArray(plugins)) {
+        for (const p of plugins) {
+            const found = findCairnOptions(p);
+            if (found)
+                return found;
+        }
+        return null;
+    }
+    if (typeof plugins === 'object' && CAIRN_OPTIONS in plugins) {
+        return plugins[CAIRN_OPTIONS] ?? null;
+    }
+    return null;
+}
+/** A minimal plugin that serves only the virtual module in one mode, for the nested SSR load. It
+ *  carries no buildStart, so the nested server never recurses into the verify. */
+function cairnVirtualOnly(opts, mode) {
+    return {
+        name: 'cairn-manifest-virtual',
+        resolveId(id) {
+            if (id === VIRTUAL_ID)
+                return RESOLVED_ID;
+        },
+        load(id) {
+            if (id === RESOLVED_ID)
+                return virtualSource(opts, mode);
+        },
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.24.0",
+  "version": "0.29.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "sideEffects": [
@@ -13,6 +13,10 @@
     "type": "git",
     "url": "git+https://github.com/glw907/cairn-cms.git"
   },
+  "homepage": "https://github.com/glw907/cairn-cms#readme",
+  "bugs": {
+    "url": "https://github.com/glw907/cairn-cms/issues"
+  },
   "keywords": [
     "cms",
     "sveltekit",
@@ -22,9 +26,10 @@
     "markdown"
   ],
   "scripts": {
-    "package": "svelte-package",
+    "package": "svelte-package && chmod +x dist/vite/bin.js",
     "check:package": "npm run package && publint --strict && attw --pack . --ignore-rules no-resolution cjs-resolves-to-esm internal-resolution-error",
-    "prepare": "svelte-package",
+    "check:reference": "npm run package && node scripts/reference-coverage.mjs",
+    "prepare": "npm run package",
     "check": "svelte-check --tsconfig ./tsconfig.json",
     "test": "vitest run",
     "test:watch": "vitest",
@@ -58,11 +63,24 @@
       "svelte": "./dist/delivery/head.js",
       "default": "./dist/delivery/head.js"
     },
+    "./delivery/data": {
+      "types": "./dist/delivery/data.d.ts",
+      "svelte": "./dist/delivery/data.js",
+      "default": "./dist/delivery/data.js"
+    },
+    "./vite": {
+      "types": "./dist/vite/index.d.ts",
+      "default": "./dist/vite/index.js"
+    },
     "./package.json": "./package.json"
   },
+  "bin": {
+    "cairn-manifest": "./dist/vite/bin.js"
+  },
   "files": [
     "dist",
-    "src/lib"
+    "src/lib",
+    "CHANGELOG.md"
   ],
   "peerDependencies": {
     "@sveltejs/kit": "^2",