@glw907/cairn-cms 0.26.0 → 0.29.0

package/dist/delivery/paginate.d.ts

@@ -10,4 +10,3 @@ export interface Page<T> {
 }
 /** Slice `items` into the 1-based `page` of size `perPage`, clamping the page into bounds. */
 export declare function paginate<T>(items: T[], page: number, perPage: number): Page<T>;
-//# sourceMappingURL=paginate.d.ts.map

package/dist/delivery/responses.d.ts

@@ -11,4 +11,3 @@ export declare function robotsResponse(opts: {
     sitemapUrl: string;
     disallow?: string[];
 }): Response;
-//# sourceMappingURL=responses.d.ts.map

package/dist/delivery/robots.d.ts

@@ -3,4 +3,3 @@ export declare function buildRobots(opts: {
     sitemapUrl: string;
     disallow?: string[];
 }): string;
-//# sourceMappingURL=robots.d.ts.map

package/dist/delivery/seo-fields.d.ts

@@ -19,4 +19,3 @@ export declare function readSeoFields(frontmatter: Record<string, unknown>): Seo
  *  bare path also anchors to the origin root; against a sub-path origin it would resolve relative to
  *  that path, per the WHATWG URL rules. */
 export declare function resolveImageUrl(image: string, origin: string): string | undefined;
-//# sourceMappingURL=seo-fields.d.ts.map

package/dist/delivery/seo.d.ts

@@ -35,4 +35,3 @@ export interface SeoMeta {
 }
 /** Build the head data for a page. */
 export declare function buildSeoMeta(input: SeoInput): SeoMeta;
-//# sourceMappingURL=seo.d.ts.map

package/dist/delivery/site-descriptors.d.ts

@@ -2,4 +2,3 @@ import type { CairnAdapter, ConceptDescriptor } from '../content/types.js';
 import type { SiteConfig } from '../nav/site-config.js';
 /** Per-concept descriptors for a site, from its adapter content and its parsed site config. */
 export declare function siteDescriptors(adapter: CairnAdapter, siteConfig: SiteConfig): ConceptDescriptor[];
-//# sourceMappingURL=site-descriptors.d.ts.map

package/dist/delivery/site-descriptors.js

@@ -1,9 +1,8 @@
-// cairn-cms: the one-call descriptor helper. A delivery site needs the same per-concept
-// descriptors the admin runtime uses; this wraps the two calls that derive them so the
-// pairing is not tribal knowledge. The YAML URL policy stays the single source of truth.
-import { normalizeConcepts } from '../content/concepts.js';
-import { urlPolicyFrom } from '../nav/site-config.js';
+// cairn-cms: the one-call descriptor helper. A delivery site needs the same per-concept descriptors
+// the admin runtime uses; this delegates to the shared resolveConcepts so the pairing is one path, not
+// tribal knowledge. The YAML URL policy stays the single source of truth.
+import { resolveConcepts } from '../content/concepts.js';
 /** Per-concept descriptors for a site, from its adapter content and its parsed site config. */
 export function siteDescriptors(adapter, siteConfig) {
-    return normalizeConcepts(adapter.content, urlPolicyFrom(siteConfig));
+    return resolveConcepts(adapter.content, siteConfig);
 }

package/dist/delivery/site-index.d.ts

@@ -31,4 +31,3 @@ export interface SiteIndex {
 export declare function createSiteIndex(concepts: ConceptIndex[], opts?: {
     validate?: boolean;
 }): SiteIndex;
-//# sourceMappingURL=site-index.d.ts.map

package/dist/delivery/site-indexes.d.ts

@@ -23,4 +23,3 @@ export type SiteIndexes<A extends CairnAdapter> = {
 export declare function createSiteIndexes<const A extends CairnAdapter>(adapter: A, config: SiteConfig, globs: SiteGlobs<A>, opts?: {
     validate?: boolean;
 }): SiteIndexes<A>;
-//# sourceMappingURL=site-indexes.d.ts.map

package/dist/delivery/sitemap.d.ts

@@ -5,4 +5,3 @@ export interface SitemapUrl {
 }
 /** Build a sitemap XML document from a list of URLs. */
 export declare function buildSitemap(urls: SitemapUrl[]): string;
-//# sourceMappingURL=sitemap.d.ts.map

package/dist/email.d.ts

@@ -24,4 +24,3 @@ export declare function buildMagicLinkMessage(input: {
 }): MagicLinkMessage;
 /** The production send: Cloudflare Email Sending through the EMAIL binding. */
 export declare const cloudflareSend: SendMagicLink;
-//# sourceMappingURL=email.d.ts.map

package/dist/env.d.ts

@@ -21,4 +21,3 @@ export declare function requireOrigin(env: {
 export declare function requireDb(env: {
     AUTH_DB?: D1Database;
 }): D1Database;
-//# sourceMappingURL=env.d.ts.map

package/dist/github/credentials.d.ts

@@ -9,4 +9,3 @@ export interface GithubKeyEnv {
  * installation) and the Worker's private-key secret. Throws when the secret is unset.
  */
 export declare function appCredentials(backend: Pick<BackendConfig, 'appId' | 'installationId'>, env: GithubKeyEnv): AppCredentials;
-//# sourceMappingURL=credentials.d.ts.map

package/dist/github/repo.d.ts

@@ -67,4 +67,3 @@ export declare function commitFiles(repo: RepoRef, changes: FileChange[], opts:
     author: CommitAuthor;
 }, token: string): Promise<string>;
 export {};
-//# sourceMappingURL=repo.d.ts.map

package/dist/github/signing.d.ts

@@ -26,4 +26,3 @@ export declare function signingSelfTest(appId: string, privateKeyB64: string): P
     ok: boolean;
     detail?: string;
 }>;
-//# sourceMappingURL=signing.d.ts.map

package/dist/github/types.d.ts

@@ -32,4 +32,3 @@ export declare class CommitConflictError extends Error {
     readonly path: string;
     constructor(path: string);
 }
-//# sourceMappingURL=types.d.ts.map

package/dist/index.d.ts

@@ -27,38 +27,11 @@ export type { ReferenceOptions } from './render/component-reference.js';
 export { glyph } from './render/glyph.js';
 export type { IconSet } from './render/glyph.js';
 export { remarkDirectiveStamp } from './render/remark-directives.js';
-export { rehypeDispatch, isElement, strProp, iconSpan, cardShell, headRow, markFirstList, } from './render/rehype-dispatch.js';
+export { rehypeDispatch, iconSpan, cardShell, headRow } from './render/rehype-dispatch.js';
 export type { MakeIcon } from './render/rehype-dispatch.js';
 export { createRenderer } from './render/pipeline.js';
 export type { RendererOptions } from './render/pipeline.js';
 export type { RepoRef, RepoFile, CommitAuthor, AppCredentials } from './github/types.js';
 export { CommitConflictError } from './github/types.js';
-export { appJwt, installationToken, signingSelfTest } from './github/signing.js';
-export { treeUrl, markdownFilesIn, listMarkdown, contentsUrl, readRaw, fileSha, commitFile, } from './github/repo.js';
-export { appCredentials } from './github/credentials.js';
-export type { GithubKeyEnv } from './github/credentials.js';
 export { parseSiteConfig, urlPolicyFrom, extractMenu, setMenu, validateNavTree, MAX_NAV_NODES, NavValidationError, SiteConfigError, } from './nav/site-config.js';
 export type { NavNode, SiteConfig } from './nav/site-config.js';
-export { permalink } from './content/permalink.js';
-export { createContentIndex, fromGlob } from './delivery/content-index.js';
-export type { RawFile, ContentSummary, ContentEntry, ContentIndex, ContentProblem, } from './delivery/content-index.js';
-export { createSiteIndex } from './delivery/site-index.js';
-export type { SiteIndex, ConceptIndex } from './delivery/site-index.js';
-export { createSiteIndexes } from './delivery/site-indexes.js';
-export type { SiteIndexes, SiteGlobs } from './delivery/site-indexes.js';
-export { deriveExcerpt, wordCount } from './delivery/excerpt.js';
-export { buildRssFeed, buildJsonFeed } from './delivery/feeds.js';
-export type { FeedChannel, FeedItem } from './delivery/feeds.js';
-export { buildSitemap } from './delivery/sitemap.js';
-export type { SitemapUrl } from './delivery/sitemap.js';
-export { buildRobots } from './delivery/robots.js';
-export { buildSeoMeta } from './delivery/seo.js';
-export type { SeoInput, SeoMeta } from './delivery/seo.js';
-export { readSeoFields, resolveImageUrl } from './delivery/seo-fields.js';
-export type { SeoFields } from './delivery/seo-fields.js';
-export { paginate } from './delivery/paginate.js';
-export type { Page } from './delivery/paginate.js';
-export { rssResponse, jsonFeedResponse, sitemapResponse, robotsResponse } from './delivery/responses.js';
-export { createPublicRoutes } from './sveltekit/public-routes.js';
-export type { PublicRoutesDeps, ListData, TagData, TagIndexData, EntryData } from './sveltekit/public-routes.js';
-//# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -21,30 +21,8 @@ export { buildComponentInsert } from './render/component-insert.js';
 export { generateComponentReference } from './render/component-reference.js';
 export { glyph } from './render/glyph.js';
 export { remarkDirectiveStamp } from './render/remark-directives.js';
-export { rehypeDispatch, isElement, strProp, iconSpan, cardShell, headRow, markFirstList, } from './render/rehype-dispatch.js';
+export { rehypeDispatch, iconSpan, cardShell, headRow } from './render/rehype-dispatch.js';
 export { createRenderer } from './render/pipeline.js';
 export { CommitConflictError } from './github/types.js';
-export { appJwt, installationToken, signingSelfTest } from './github/signing.js';
-export { treeUrl, markdownFilesIn, listMarkdown, contentsUrl, readRaw, fileSha, commitFile, } from './github/repo.js';
-export { appCredentials } from './github/credentials.js';
 // Nav tree and site-config helpers (Plan 06).
 export { parseSiteConfig, urlPolicyFrom, extractMenu, setMenu, validateNavTree, MAX_NAV_NODES, NavValidationError, SiteConfigError, } from './nav/site-config.js';
-// Public content delivery (public-delivery design): the query index, syndication, and
-// discovery surface that sites read. Pure builders plus the one permalink resolver; the
-// SvelteKit loaders live under the /sveltekit subpath.
-export { permalink } from './content/permalink.js';
-export { createContentIndex, fromGlob } from './delivery/content-index.js';
-export { createSiteIndex } from './delivery/site-index.js';
-export { createSiteIndexes } from './delivery/site-indexes.js';
-export { deriveExcerpt, wordCount } from './delivery/excerpt.js';
-export { buildRssFeed, buildJsonFeed } from './delivery/feeds.js';
-export { buildSitemap } from './delivery/sitemap.js';
-export { buildRobots } from './delivery/robots.js';
-export { buildSeoMeta } from './delivery/seo.js';
-export { readSeoFields, resolveImageUrl } from './delivery/seo-fields.js';
-export { paginate } from './delivery/paginate.js';
-// Root superset of the delivery route surface: a wrong guess from root for a route loader or a
-// response helper now resolves. The CairnHead component stays out of root so the root barrel stays
-// node-importable for the unit suite; it resolves from @glw907/cairn-cms/delivery/head.
-export { rssResponse, jsonFeedResponse, sitemapResponse, robotsResponse } from './delivery/responses.js';
-export { createPublicRoutes } from './sveltekit/public-routes.js';

package/dist/nav/site-config.d.ts

@@ -52,4 +52,3 @@ export declare function urlPolicyFrom(config: SiteConfig): Record<string, Concep
  * serializes without `url`/`children` keys.
  */
 export declare function setMenu(raw: string, name: string, tree: NavNode[]): string;
-//# sourceMappingURL=site-config.d.ts.map

package/dist/render/component-grammar.d.ts

@@ -14,4 +14,3 @@ export declare function parseComponentWithRawKeys(markdown: string, def: Compone
     values: ComponentValues;
     rawKeys: string[];
 }>;
-//# sourceMappingURL=component-grammar.d.ts.map

package/dist/render/component-insert.d.ts

@@ -11,4 +11,3 @@ export type ComponentInsert = {
 /** Serialize a component's form values, then validate the result against its schema. Returns the
  *  markdown to insert at the cursor, or the field errors keyed by attribute key or slot name. */
 export declare function buildComponentInsert(def: ComponentDef, values: ComponentValues): Promise<ComponentInsert>;
-//# sourceMappingURL=component-insert.d.ts.map

package/dist/render/component-reference.d.ts

@@ -8,4 +8,3 @@ export interface ReferenceOptions {
 /** Build a self-contained markdown reference (the llms-full.txt shape) for a component registry, for
  *  authors and for pointing an LLM at one curated file. */
 export declare function generateComponentReference(registry: ComponentRegistry, opts: ReferenceOptions): string;
-//# sourceMappingURL=component-reference.d.ts.map

package/dist/render/component-validate.d.ts

@@ -7,4 +7,3 @@ export type ComponentValidation = {
     errors: Record<string, string>;
 };
 export declare function validateComponent(markdown: string, def: ComponentDef): Promise<ComponentValidation>;
-//# sourceMappingURL=component-validate.d.ts.map

package/dist/render/glyph.d.ts

@@ -6,4 +6,3 @@ export type IconSet = Record<string, string>;
  *  a stray empty (or undefined) path. Callers always wrap the returned element, so the shell
  *  keeps them safe. */
 export declare function glyph(name: string, icons: IconSet): Element;
-//# sourceMappingURL=glyph.d.ts.map

package/dist/render/index.d.ts

@@ -3,4 +3,3 @@ export * from './glyph.js';
 export * from './remark-directives.js';
 export * from './rehype-dispatch.js';
 export * from './pipeline.js';
-//# sourceMappingURL=index.d.ts.map

package/dist/render/pipeline.d.ts

@@ -31,4 +31,3 @@ export declare function createRenderer(registry?: ComponentRegistry, options?: R
         resolve?: LinkResolve;
     }) => Promise<string>;
 };
-//# sourceMappingURL=pipeline.d.ts.map

package/dist/render/pipeline.js

@@ -8,7 +8,7 @@ import rehypeSlug from 'rehype-slug';
 import rehypeStringify from 'rehype-stringify';
 import rehypeSanitize from 'rehype-sanitize';
 import { VFile } from 'vfile';
-import { buildSanitizeSchema, rehypeAnchorRel } from './sanitize-schema.js';
+import { buildSanitizeSchema, rehypeAnchorRel, rehypeSinkGuard } from './sanitize-schema.js';
 import { remarkDirectiveStamp } from './remark-directives.js';
 import { remarkResolveCairnLinks, CAIRN_RESOLVE } from './resolve-links.js';
 import { rehypeDispatch } from './rehype-dispatch.js';
@@ -33,6 +33,10 @@ export function createRenderer(registry = defineRegistry({ components: [] }), op
     ];
     if (rel !== false)
         rehypePlugins.push([rehypeAnchorRel, rel]);
+    // The sink guard runs last, over the fully-built tree, so it neutralizes a sink a component
+    // build() emitted after the floor. Gated by the same switch as the floor.
+    if (!options.unsafeDisableSanitize)
+        rehypePlugins.push(rehypeSinkGuard);
     const processor = unified()
         .use(remarkParse)
         .use(remarkGfm)

package/dist/render/registry.d.ts

@@ -91,4 +91,3 @@ export interface ComponentValues {
 /** Seed an empty {@link ComponentValues} from a component's schema: attribute defaults (or '' / false)
  *  and empty slot values ([] for repeatable, '' otherwise). */
 export declare function emptyValues(def: ComponentDef): ComponentValues;
-//# sourceMappingURL=registry.d.ts.map

package/dist/render/rehype-dispatch.d.ts

@@ -23,4 +23,3 @@ export declare function markFirstList(children: ElementContent[]): Element | und
  *  `data-rise` while dropping `style`. Nested primitives never get it. Non-primitive
  *  content (lede, intro paragraphs, the page-toc nav) passes through untouched. */
 export declare function rehypeDispatch(registry: ComponentRegistry, stagger?: boolean): (tree: Root) => void;
-//# sourceMappingURL=rehype-dispatch.d.ts.map

package/dist/render/remark-directives.d.ts

@@ -1,4 +1,3 @@
 import type { Root } from 'mdast';
 import { type ComponentRegistry } from './registry.js';
 export declare function remarkDirectiveStamp(registry: ComponentRegistry): (tree: Root) => void;
-//# sourceMappingURL=remark-directives.d.ts.map

package/dist/render/resolve-links.d.ts

@@ -5,4 +5,3 @@ export declare const CAIRN_RESOLVE = "cairnResolve";
  *  pass through. A missing target is marked with the cairn-broken-link class (the resolver returns
  *  undefined) or, when the resolver throws, the error propagates and fails the build. */
 export declare function remarkResolveCairnLinks(): (tree: unknown, file: VFile) => void;
-//# sourceMappingURL=resolve-links.d.ts.map

package/dist/render/sanitize-schema.d.ts

@@ -18,4 +18,17 @@ export declare function buildSanitizeSchema(registry: ComponentRegistry, extend?
  * `anchorRel` option (default `noopener noreferrer`); a site can override it or disable it entirely.
  */
 export declare function rehypeAnchorRel(rel: string): (tree: Root) => void;
-//# sourceMappingURL=sanitize-schema.d.ts.map
+/**
+ * Post-dispatch safety floor over the fully-built tree. The pre-dispatch rehype-sanitize floor
+ * cleans author content, but a component build() runs after it and can route a raw author
+ * attribute value into a sink. This guard runs last and neutralizes those sinks on every element
+ * no matter which plugin or which build() produced it: an unsafe URL scheme in a URL-bearing
+ * attribute, an inline on* event handler, or an inline style (stripped wholesale, matching the
+ * floor and cairn's class-driven styling). It is gated by the same unsafeDisableSanitize switch as
+ * the floor.
+ *
+ * The guard's boundary is the URL scheme check plus the on* and style strip. It does not remove a
+ * build()-emitted raw script, style, or iframe srcdoc element node. A build() that emits those is
+ * running site-developer code, and author markdown is cleaned by the pre-dispatch floor.
+ */
+export declare function rehypeSinkGuard(): (tree: Root) => void;

package/dist/render/sanitize-schema.js

@@ -56,3 +56,99 @@ export function rehypeAnchorRel(rel) {
         });
     };
 }
+// URL-bearing hast properties the post-dispatch guard scheme-checks. hast camelCases attribute
+// names through property-information (srcset -> srcSet, xlink:href -> xLinkHref with a capital L,
+// formaction -> formAction). data is the <object data> URL attribute; data-* attributes camelCase
+// to dataFoo and are not matched here.
+const URL_PROPS = new Set([
+    'href',
+    'src',
+    'srcSet',
+    'xLinkHref',
+    'poster',
+    'formAction',
+    'action',
+    'data',
+    'background',
+]);
+// The safe URL schemes: the union of every protocol list in defaultSchema, plus cairn. The
+// floor admits these and strips the rest, so deriving from the same source keeps the floor and
+// this guard from drifting on what a safe scheme is. javascript:/data:/vbscript: are never in
+// defaultSchema, so they are never safe.
+const SAFE_SCHEMES = (() => {
+    const protocols = defaultSchema.protocols ?? {};
+    const schemes = new Set(['cairn']);
+    for (const list of Object.values(protocols)) {
+        for (const scheme of list ?? [])
+            schemes.add(String(scheme).toLowerCase());
+    }
+    return schemes;
+})();
+// Read a URL value's scheme for the safety check, defeating the whitespace and control-character
+// tricks a browser ignores inside a scheme (java\tscript:, a leading space). A value with no
+// scheme (relative, anchor, query) returns undefined and is always safe.
+function urlScheme(value) {
+    const cleaned = value.replace(/[\x00-\x20]+/g, '');
+    const match = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);
+    return match ? match[1].toLowerCase() : undefined;
+}
+function isSafeUrl(value) {
+    const scheme = urlScheme(value);
+    return scheme === undefined || SAFE_SCHEMES.has(scheme);
+}
+// srcset is "url descriptor, url descriptor, …". hast may store it as a string or, because
+// property-information marks it comma-separated, as a string array. One unsafe candidate makes
+// the whole attribute unsafe.
+function isSafeSrcset(value) {
+    const candidates = Array.isArray(value)
+        ? value.map(String)
+        : typeof value === 'string'
+            ? value.split(',')
+            : [];
+    return candidates.every((candidate) => {
+        const url = candidate.trim().split(/\s+/)[0];
+        return url === '' || isSafeUrl(url);
+    });
+}
+// Decide whether one URL-bearing property value is safe to keep. srcset has its own
+// multi-candidate grammar. A non-string value carries no scheme to abuse, so the floor's own
+// handling stands and the guard leaves it alone.
+function isSafeUrlProp(key, value) {
+    if (key === 'srcSet')
+        return isSafeSrcset(value);
+    if (typeof value !== 'string')
+        return true;
+    return isSafeUrl(value);
+}
+/**
+ * Post-dispatch safety floor over the fully-built tree. The pre-dispatch rehype-sanitize floor
+ * cleans author content, but a component build() runs after it and can route a raw author
+ * attribute value into a sink. This guard runs last and neutralizes those sinks on every element
+ * no matter which plugin or which build() produced it: an unsafe URL scheme in a URL-bearing
+ * attribute, an inline on* event handler, or an inline style (stripped wholesale, matching the
+ * floor and cairn's class-driven styling). It is gated by the same unsafeDisableSanitize switch as
+ * the floor.
+ *
+ * The guard's boundary is the URL scheme check plus the on* and style strip. It does not remove a
+ * build()-emitted raw script, style, or iframe srcdoc element node. A build() that emits those is
+ * running site-developer code, and author markdown is cleaned by the pre-dispatch floor.
+ */
+export function rehypeSinkGuard() {
+    return (tree) => {
+        visit(tree, 'element', (node) => {
+            const props = node.properties;
+            if (!props)
+                return;
+            for (const key of Object.keys(props)) {
+                if (/^on/i.test(key) || key === 'style') {
+                    delete props[key];
+                    continue;
+                }
+                if (!URL_PROPS.has(key))
+                    continue;
+                if (!isSafeUrlProp(key, props[key]))
+                    delete props[key];
+            }
+        });
+    };
+}

package/dist/sveltekit/auth-routes.d.ts

@@ -20,4 +20,3 @@ export declare function createAuthRoutes(config: AuthRoutesConfig): {
     confirmAction: (event: RequestContext) => Promise<never>;
     logoutAction: (event: RequestContext) => Promise<never>;
 };
-//# sourceMappingURL=auth-routes.d.ts.map

package/dist/sveltekit/content-routes.d.ts

@@ -89,4 +89,3 @@ export declare function createContentRoutes(runtime: CairnRuntime, deps?: Conten
     renameAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     mintToken: (env: GithubKeyEnv) => Promise<string>;
 };
-//# sourceMappingURL=content-routes.d.ts.map

package/dist/sveltekit/editors-routes.d.ts

@@ -21,4 +21,3 @@ export declare function createEditorRoutes(): {
         ok: true;
     }>;
 };
-//# sourceMappingURL=editors-routes.d.ts.map

package/dist/sveltekit/guard.d.ts

@@ -6,4 +6,3 @@ export declare function createAuthGuard(): ({ event, resolve }: HandleInput) =>
 export declare function requireSession(event: RequestContext): Editor;
 /** For the management surface: a signed-in owner, or 403 for an editor. */
 export declare function requireOwner(event: RequestContext): Editor;
-//# sourceMappingURL=guard.d.ts.map

package/dist/sveltekit/health.d.ts

@@ -16,4 +16,3 @@ export declare function healthLoad(event: {
         env?: GithubKeyEnv;
     };
 }, runtime: CairnRuntime): Promise<HealthData>;
-//# sourceMappingURL=health.d.ts.map

package/dist/sveltekit/index.d.ts

@@ -7,6 +7,4 @@ export { createNavRoutes } from './nav-routes.js';
 export type { NavLoadData, NavPageOption, NavRoutesDeps } from './nav-routes.js';
 export { healthLoad, type HealthData } from './health.js';
 export type { RequestContext, CookieJar, HandleInput } from './types.js';
-export { createPublicRoutes } from './public-routes.js';
-export type { PublicRoutesDeps, ListData as PublicListData, TagData, TagIndexData, EntryData, } from './public-routes.js';
-//# sourceMappingURL=index.d.ts.map
+export type { GithubKeyEnv } from '../github/credentials.js';

package/dist/sveltekit/index.js

@@ -6,4 +6,3 @@ export { createEditorRoutes } from './editors-routes.js';
 export { createContentRoutes } from './content-routes.js';
 export { createNavRoutes } from './nav-routes.js';
 export { healthLoad } from './health.js';
-export { createPublicRoutes } from './public-routes.js';

package/dist/sveltekit/nav-routes.d.ts

@@ -27,4 +27,3 @@ export declare function createNavRoutes(runtime: CairnRuntime, deps?: NavRoutesD
     navLoad: (event: ContentEvent) => Promise<NavLoadData>;
     navSave: (event: ContentEvent) => Promise<never>;
 };
-//# sourceMappingURL=nav-routes.d.ts.map

package/dist/sveltekit/public-routes.d.ts

@@ -64,4 +64,3 @@ export declare function createPublicRoutes(deps: PublicRoutesDeps): {
         path: string;
     }[];
 };
-//# sourceMappingURL=public-routes.d.ts.map

package/dist/sveltekit/types.d.ts

@@ -35,4 +35,3 @@ export interface HandleInput {
     event: RequestContext;
     resolve(event: RequestContext): Promise<Response> | Response;
 }
-//# sourceMappingURL=types.d.ts.map

package/dist/vite/bin.d.ts

@@ -1,3 +1,2 @@
 #!/usr/bin/env node
 export {};
-//# sourceMappingURL=bin.d.ts.map

package/dist/vite/index.d.ts

@@ -30,4 +30,3 @@ export declare function cairnManifest(opts: CairnManifestOptions): Plugin;
  *  resolution, and writes the serialized manifest. The cairn-manifest bin calls this; it is exported
  *  so the write logic is testable apart from the CLI shell. */
 export declare function writeManifest(cwd?: string): Promise<void>;
-//# sourceMappingURL=index.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.26.0",
+  "version": "0.29.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "sideEffects": [
@@ -28,6 +28,7 @@
   "scripts": {
     "package": "svelte-package && chmod +x dist/vite/bin.js",
     "check:package": "npm run package && publint --strict && attw --pack . --ignore-rules no-resolution cjs-resolves-to-esm internal-resolution-error",
+    "check:reference": "npm run package && node scripts/reference-coverage.mjs",
     "prepare": "npm run package",
     "check": "svelte-check --tsconfig ./tsconfig.json",
     "test": "vitest run",

package/src/lib/content/compose.ts

@@ -4,8 +4,8 @@
 // concepts, components, field types, and save hooks. Shaped now so the extension contract
 // is additive later.
 import type { AdminPanel, CairnAdapter, CairnExtension, CairnRuntime, ConceptConfig, FieldTypeDef } from './types.js';
-import { normalizeConcepts } from './concepts.js';
-import { urlPolicyFrom, type SiteConfig } from '../nav/site-config.js';
+import { resolveConcepts } from './concepts.js';
+import type { SiteConfig } from '../nav/site-config.js';
 
 /** The input to {@link composeRuntime}. `siteConfig` is required so the per-concept URL policy is
  *  always derived from one source and can never be silently dropped. `extensions` fold in after the
@@ -36,7 +36,7 @@ export function composeRuntime({ adapter, siteConfig, extensions = [] }: Compose
   }
   return {
     siteName: adapter.siteName,
-    concepts: normalizeConcepts(content, urlPolicyFrom(siteConfig)),
+    concepts: resolveConcepts(content, siteConfig),
     backend: adapter.backend,
     sender: adapter.sender,
     render: adapter.render,

package/src/lib/content/concepts.ts

@@ -4,6 +4,7 @@
 // future Fragments concept attaches by adding one key under `content` and one routing
 // entry, with no reshape here.
 import type { ConceptConfig, ConceptDescriptor, ConceptUrlPolicy, RoutingRule } from './types.js';
+import { urlPolicyFrom, type SiteConfig } from '../nav/site-config.js';
 
 /**
  * Concept-fixed routing, keyed by concept id (spec §7.2). Posts are dated feed entries;
@@ -28,6 +29,43 @@ function defaultPermalink(id: string): string {
   return id === 'pages' ? '/:slug' : `/${id}/:slug`;
 }
 
+/** Permalink tokens the resolver understands. */
+const KNOWN_TOKENS = new Set(['slug', 'year', 'month', 'day']);
+/** The date-bearing tokens; valid only for a dated concept. */
+const DATE_TOKENS = new Set(['year', 'month', 'day']);
+/** The valid date-prefix granularities. A runtime check, since the YAML is untyped. */
+const DATE_PREFIXES = new Set<string>(['year', 'month', 'day']);
+
+/**
+ * Validate one concept's URL policy at build, so a misconfigured permalink or datePrefix fails loudly
+ * here rather than emitting a wrong or defaulted URL at render. The permalink must be root-relative and
+ * use only known tokens, a date token requires a dated concept, and the datePrefix must be in range.
+ */
+function validateUrlPolicy(id: string, policy: ConceptUrlPolicy, dated: boolean): void {
+  if (policy.permalink !== undefined) {
+    const pattern = policy.permalink;
+    if (!pattern.startsWith('/')) {
+      throw new Error(`cairn: concept "${id}" permalink "${pattern}" must start with "/"`);
+    }
+    for (const match of pattern.matchAll(/:(\w+)/g)) {
+      const token = match[1];
+      if (!KNOWN_TOKENS.has(token)) {
+        throw new Error(`cairn: concept "${id}" permalink "${pattern}" uses unknown token ":${token}"`);
+      }
+      if (DATE_TOKENS.has(token) && !dated) {
+        throw new Error(
+          `cairn: concept "${id}" is not dated, so permalink "${pattern}" cannot use the date token ":${token}"`,
+        );
+      }
+    }
+  }
+  if (policy.datePrefix !== undefined && !DATE_PREFIXES.has(policy.datePrefix)) {
+    throw new Error(
+      `cairn: concept "${id}" datePrefix "${policy.datePrefix}" must be one of year, month, day`,
+    );
+  }
+}
+
 /**
  * Normalize an adapter's declared concepts into uniform descriptors (seam 1). URL policy
  * (`permalink`, `datePrefix`) comes from the YAML site-config, passed here as `urlPolicy` keyed by
@@ -41,6 +79,14 @@ export function normalizeConcepts(
   routing: Readonly<Record<string, RoutingRule>> = CONCEPT_ROUTING,
 ): ConceptDescriptor[] {
   const descriptors: ConceptDescriptor[] = [];
+  const declaredConcepts = new Set(
+    Object.keys(content).filter((key) => content[key] !== undefined),
+  );
+  for (const key of Object.keys(urlPolicy)) {
+    if (!declaredConcepts.has(key)) {
+      throw new Error(`cairn: URL policy names concept "${key}", which is not declared under content`);
+    }
+  }
   for (const [id, config] of Object.entries(content)) {
     if (!config) continue;
     const summaryFields = config.summaryFields ?? [];
@@ -51,12 +97,14 @@ export function normalizeConcepts(
         `cairn: concept "${id}" summaryFields key "${undeclared}" is not a declared field`,
       );
     }
+    const conceptRouting = routing[id] ?? DEFAULT_ROUTING;
     const policy = urlPolicy[id] ?? {};
+    validateUrlPolicy(id, policy, conceptRouting.dated);
     descriptors.push({
       id,
       label: config.label ?? defaultLabel(id),
       dir: config.dir,
-      routing: routing[id] ?? DEFAULT_ROUTING,
+      routing: conceptRouting,
       permalink: policy.permalink ?? defaultPermalink(id),
       datePrefix: policy.datePrefix ?? 'day',
       fields: config.schema.fields,
@@ -67,6 +115,18 @@ export function normalizeConcepts(
   return descriptors;
 }
 
+/**
+ * Resolve a site's concept descriptors from its content map and parsed site config. The admin runtime
+ * (composeRuntime) and the delivery layer (siteDescriptors) both call this, so the per-concept URL
+ * policy is derived once from the YAML and the runtime and delivery permalinks cannot diverge.
+ */
+export function resolveConcepts(
+  content: Record<string, ConceptConfig | undefined>,
+  siteConfig: SiteConfig,
+): ConceptDescriptor[] {
+  return normalizeConcepts(content, urlPolicyFrom(siteConfig));
+}
+
 /** Look up a normalized concept by id, or undefined when the site does not enable it. */
 export function findConcept(
   concepts: ConceptDescriptor[],