@glw907/cairn-cms 0.29.0 → 0.34.0

package/dist/components/cairn-favicon.d.ts

@@ -0,0 +1,2 @@
+/** The cairn mark as a `data:image/svg+xml` URL, for a `<link rel="icon">` on the admin pages. */
+export declare const cairnFaviconHref: string;

package/dist/components/cairn-favicon.js

@@ -0,0 +1,7 @@
+// The cairn mark as an inline SVG data URL, so an admin browser tab carries Cairn's brand. The fill
+// is a fixed violet near the admin primary, since a favicon cannot read a CSS variable. The path is
+// the same public-domain Temaki cairn used by CairnLogo.svelte.
+const svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 15 15" fill="#7c3aed">' +
+    '<path d="M6.28 14C5.56 14 1 13.89 1 12.91C1 11.46 2.16 11.07 3.2 10.81C4.36 10.51 13.18 9.77 13.76 10.07C14.46 10.43 13.52 12.49 12.44 12.77C11.28 13.07 10.21 14 8.48 14C7.05 14 9.69 14 6.28 14ZM6.92 4.5C6.67 4.5 5 4.43 5 3.88C5 3.07 5.75 2.51 5.96 2.35C6.36 2.03 6.32 1.62 6.54 1.27C6.84 0.79 7.61 0.5 7.88 0.5C8.1 0.5 8.75 0.9 9.23 1.42C9.45 1.66 10 2.77 10 3.12C10 4.22 9.36 4.5 8.85 4.5C8.33 4.5 8.15 4.5 6.92 4.5ZM3.68 8.22C3 7.73 3.67 6.86 4.57 6.21C5.38 5.63 5.92 5.96 6.79 5.7C8.33 5.24 9.02 5.72 9.02 5.72L10.9 6.82C12.03 7.63 10.99 7.67 10.38 8.56C9.79 9.42 8.18 9.11 7.42 9.33C6.78 9.53 5.75 9.71 4.62 8.9L3.68 8.22Z"/></svg>';
+/** The cairn mark as a `data:image/svg+xml` URL, for a `<link rel="icon">` on the admin pages. */
+export const cairnFaviconHref = `data:image/svg+xml,${encodeURIComponent(svg)}`;

package/dist/components/chrome-guard.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Inspect the admin root's ancestor chain for host chrome. Returns a diagnostic when a
+ * width-constraining ancestor sits between the root and <body>, else null. Pure over the DOM so a
+ * test can build either shape. The sibling signal (host elements outside the admin subtree) is folded
+ * into the message as context rather than raised on its own, because it is the noisier of the two.
+ */
+export declare function detectChromeWrap(root: HTMLElement): string | null;
+/** Run the check in dev and log one error when host chrome is detected. A no-op in production. */
+export declare function warnIfChromeWrapped(root: HTMLElement): void;

package/dist/components/chrome-guard.js

@@ -0,0 +1,55 @@
+// Dev-only structural check that catches a host mounting the admin inside its own chrome. Every admin
+// rule is scoped and the admin self-styles, but a host whose root layout wraps the admin in a
+// width-constraining container (a `<main class="container">`) or renders its nav and footer around it
+// breaks the full-bleed admin shell. The engine cannot prevent that layout mistake, so it names it.
+// The check walks the ancestor chain once on mount and emits one console.error that points at the
+// route-structure doc. The public entry runs only under import.meta.env.DEV, never throws, and changes
+// no rendering.
+const DOC = 'docs/admin-route-structure.md';
+// max-width values that do not actually constrain the admin below the viewport. A host that sets a
+// defensive `max-width: 100%` or `100vw` on a wrapper is not chrome, so skip those to avoid a spurious
+// dev error. A real constraining container uses an absolute length (`64rem`, `1280px`) or a sub-100
+// percentage, both of which still trip the guard.
+const NON_CONSTRAINING = new Set(['none', '100%', '100vw']);
+function describe(el) {
+    const tag = el.tagName.toLowerCase();
+    const cls = el.getAttribute('class');
+    return cls ? `<${tag} class="${cls}">` : `<${tag}>`;
+}
+/**
+ * Inspect the admin root's ancestor chain for host chrome. Returns a diagnostic when a
+ * width-constraining ancestor sits between the root and <body>, else null. Pure over the DOM so a
+ * test can build either shape. The sibling signal (host elements outside the admin subtree) is folded
+ * into the message as context rather than raised on its own, because it is the noisier of the two.
+ */
+export function detectChromeWrap(root) {
+    const body = root.ownerDocument.body;
+    let constrainer = null;
+    let maxWidth = '';
+    for (let el = root.parentElement; el && el !== body; el = el.parentElement) {
+        const elMaxWidth = getComputedStyle(el).maxWidth;
+        if (elMaxWidth && !NON_CONSTRAINING.has(elMaxWidth)) {
+            constrainer = el;
+            maxWidth = elMaxWidth;
+            break;
+        }
+    }
+    if (!constrainer)
+        return null;
+    const siblings = [...body.children].filter((el) => !el.contains(root) && !root.contains(el) && el !== root);
+    const siblingNote = siblings.length
+        ? ` Host elements also sit beside the admin in <body> (${siblings.map(describe).join(', ')}).`
+        : '';
+    return (`[cairn-cms] The admin is rendering inside host chrome. A width-constraining ancestor ` +
+        `${describe(constrainer)} (max-width: ${maxWidth}) sits between the admin root and <body>, so the ` +
+        `admin shell cannot fill the viewport.${siblingNote} Keep the host root layout chrome-free and move ` +
+        `your nav, footer, and app.css into a (site) route group. See ${DOC}.`);
+}
+/** Run the check in dev and log one error when host chrome is detected. A no-op in production. */
+export function warnIfChromeWrapped(root) {
+    if (!import.meta.env.DEV)
+        return;
+    const problem = detectChromeWrap(root);
+    if (problem)
+        console.error(problem);
+}

package/dist/components/fonts/BricolageGrotesque-OFL.txt

@@ -0,0 +1,93 @@
+Copyright 2022 The Bricolage Grotesque Project Authors (https://github.com/ateliertriay/bricolage)
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+This license is copied below, and is also available with a FAQ at:
+https://scripts.sil.org/OFL
+
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded, 
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.

package/dist/components/fonts/Figtree-OFL.txt

@@ -0,0 +1,93 @@
+Copyright 2022 The Figtree Project Authors (https://github.com/erikdkennedy/figtree)
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+This license is copied below, and is also available with a FAQ at:
+http://scripts.sil.org/OFL
+
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded, 
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.

package/dist/index.d.ts

@@ -27,8 +27,6 @@ export type { ReferenceOptions } from './render/component-reference.js';
 export { glyph } from './render/glyph.js';
 export type { IconSet } from './render/glyph.js';
 export { remarkDirectiveStamp } from './render/remark-directives.js';
-export { rehypeDispatch, iconSpan, cardShell, headRow } from './render/rehype-dispatch.js';
-export type { MakeIcon } from './render/rehype-dispatch.js';
 export { createRenderer } from './render/pipeline.js';
 export type { RendererOptions } from './render/pipeline.js';
 export type { RepoRef, RepoFile, CommitAuthor, AppCredentials } from './github/types.js';

package/dist/index.js

@@ -21,7 +21,10 @@ export { buildComponentInsert } from './render/component-insert.js';
 export { generateComponentReference } from './render/component-reference.js';
 export { glyph } from './render/glyph.js';
 export { remarkDirectiveStamp } from './render/remark-directives.js';
-export { rehypeDispatch, iconSpan, cardShell, headRow } from './render/rehype-dispatch.js';
+// The component-authoring helpers (iconSpan, cardShell, headRow, isElement, strAttr) live on the
+// @glw907/cairn-cms/render subpath, not the root barrel. rehypeDispatch is deliberately not public:
+// createRenderer is the one public render pipeline, so the safe plugin ordering is the only public
+// path. See docs/superpowers/specs/2026-06-05-cairn-render-authoring-surface-design.md.
 export { createRenderer } from './render/pipeline.js';
 export { CommitConflictError } from './github/types.js';
 // Nav tree and site-config helpers (Plan 06).

package/dist/render/authoring.d.ts

@@ -0,0 +1,3 @@
+export { iconSpan, cardShell, headRow, isElement, strAttr } from './rehype-dispatch.js';
+export type { MakeIcon } from './rehype-dispatch.js';
+export type { ComponentContext } from './registry.js';

package/dist/render/authoring.js

@@ -0,0 +1,5 @@
+// cairn-cms: the component-authoring toolkit (@glw907/cairn-cms/render). A site authoring components
+// through build(ctx) reaches for these hast builders and the string-attribute reader. Curated on
+// purpose: the internal hast helpers (strProp, markFirstList, dataAttrProp) stay internal, and
+// rehypeDispatch is deliberately omitted (createRenderer is the one public render pipeline).
+export { iconSpan, cardShell, headRow, isElement, strAttr } from './rehype-dispatch.js';

package/dist/render/registry.d.ts

@@ -70,6 +70,8 @@ export interface ComponentRegistry {
     names: string[];
     get(name: string): ComponentDef | undefined;
     defaultIcon(name: string, role?: string): string | undefined;
+    /** The component's first `type:'icon'` attribute, or undefined when it declares none. */
+    iconField(name: string): AttributeField | undefined;
 }
 /** The hast property name carrying one declared attribute from stamp to dispatch, e.g. `tone`
  *  becomes `dataAttrTone`. The directive stamp writes it and the rehype dispatch reads it, so both

package/dist/render/registry.js

@@ -4,17 +4,32 @@
 export function dataAttrProp(key) {
     return `dataAttr${key.charAt(0).toUpperCase()}${key.slice(1)}`;
 }
+/** A component's first `type:'icon'` attribute, or undefined when it declares none. Both the
+ *  construction-time guard and the registry's `iconField` derive the icon field from this one
+ *  predicate rather than spelling the `type === 'icon'` find twice. */
+function findIconField(def) {
+    return def.attributes?.find((field) => field.type === 'icon');
+}
 /**
  * Build a registry from a site's component definitions. The single source the render
  * pipeline (directive stamp plus rehype dispatch) and the editor palette both read.
  */
 export function defineRegistry({ components }) {
+    for (const c of components) {
+        if (c.defaultIconByRole && Object.keys(c.defaultIconByRole).length > 0 && !findIconField(c)) {
+            throw new Error(`cairn: component "${c.name}" sets defaultIconByRole but declares no type:'icon' attribute, so the default icon can never render`);
+        }
+    }
     const byName = new Map(components.map((c) => [c.name, c]));
     return {
         defs: components,
         names: components.map((c) => c.name),
         get: (name) => byName.get(name),
         defaultIcon: (name, role) => (role ? byName.get(name)?.defaultIconByRole?.[role] : undefined),
+        iconField: (name) => {
+            const def = byName.get(name);
+            return def ? findIconField(def) : undefined;
+        },
     };
 }
 /** Seed an empty {@link ComponentValues} from a component's schema: attribute defaults (or '' / false)

package/dist/render/rehype-dispatch.d.ts

@@ -1,6 +1,9 @@
 import type { Root, Element, ElementContent } from 'hast';
-import { type ComponentRegistry } from './registry.js';
+import { type ComponentContext, type ComponentRegistry } from './registry.js';
 export declare function isElement(node: ElementContent | undefined): node is Element;
+/** Read a declared string attribute off the component context, returning undefined for a boolean or
+ *  absent value. Replaces the `typeof ctx.attributes[key] === 'string'` narrowing a build repeats. */
+export declare function strAttr(ctx: ComponentContext, key: string): string | undefined;
 export declare function strProp(node: Element, name: string): string | undefined;
 /** Wrap a pre-built glyph in an ec-icon span; secondary role adds the modifier. */
 export declare function iconSpan(glyphEl: Element, role?: string): Element;
@@ -8,11 +11,11 @@ export declare function iconSpan(glyphEl: Element, role?: string): Element;
 export type MakeIcon = (name: string, role?: string) => Element;
 /** Section wrapper: `<section class=…><div class="card-body">…</div></section>`. */
 export declare function cardShell(classes: string[], body: ElementContent[]): Element;
-/** Card head row: `<div class="ec-head">[icon]<h2 class="card-title">{title}</h2></div>`.
- *  Pass the title's inline children and an optional pre-built icon element, the way `cardShell`
- *  takes already-built body content. This factors the icon-plus-heading head that a titled
- *  component build would otherwise rebuild by hand (the shape the removed `splitHead` produced). */
-export declare function headRow(title: ElementContent[], icon?: Element): Element;
+/** Card head row: `<div class="ec-head">[icon]<hN class="card-title">{title}</hN></div>`.
+ *  Pass the title's inline children, an optional pre-built icon element, and an optional heading
+ *  level (default 2). This factors the icon-plus-heading head that a titled component build would
+ *  otherwise rebuild by hand (the shape the removed `splitHead` produced). */
+export declare function headRow(title: ElementContent[], icon?: Element, level?: number): Element;
 /** Tag the first <ul> among children with `ec-grid` and strip its whitespace-only
  *  text nodes so the bare list serializes without newlines. Returns that <ul>. */
 export declare function markFirstList(children: ElementContent[]): Element | undefined;

package/dist/render/rehype-dispatch.js

@@ -3,6 +3,12 @@ import { dataAttrProp } from './registry.js';
 export function isElement(node) {
     return !!node && node.type === 'element';
 }
+/** Read a declared string attribute off the component context, returning undefined for a boolean or
+ *  absent value. Replaces the `typeof ctx.attributes[key] === 'string'` narrowing a build repeats. */
+export function strAttr(ctx, key) {
+    const value = ctx.attributes[key];
+    return typeof value === 'string' ? value : undefined;
+}
 // hast Properties values are PropertyValue (string | number | boolean | array | null).
 // Directive markers (dataPrimitive/dataRole/dataAttr<Key>) are always stamped as strings;
 // this reads them back with that guarantee instead of casting at each call site.
@@ -19,15 +25,15 @@ export function iconSpan(glyphEl, role) {
 export function cardShell(classes, body) {
     return h('section', { className: classes }, [h('div', { className: ['card-body'] }, body)]);
 }
-/** Card head row: `<div class="ec-head">[icon]<h2 class="card-title">{title}</h2></div>`.
- *  Pass the title's inline children and an optional pre-built icon element, the way `cardShell`
- *  takes already-built body content. This factors the icon-plus-heading head that a titled
- *  component build would otherwise rebuild by hand (the shape the removed `splitHead` produced). */
-export function headRow(title, icon) {
+/** Card head row: `<div class="ec-head">[icon]<hN class="card-title">{title}</hN></div>`.
+ *  Pass the title's inline children, an optional pre-built icon element, and an optional heading
+ *  level (default 2). This factors the icon-plus-heading head that a titled component build would
+ *  otherwise rebuild by hand (the shape the removed `splitHead` produced). */
+export function headRow(title, icon, level = 2) {
     const children = [];
     if (icon)
         children.push(icon);
-    children.push(h('h2', { className: ['card-title'] }, title));
+    children.push(h(`h${level}`, { className: ['card-title'] }, title));
     return h('div', { className: ['ec-head'] }, children);
 }
 /** Tag the first <ul> among children with `ec-grid` and strip its whitespace-only

package/dist/render/remark-directives.js

@@ -60,7 +60,7 @@ export function remarkDirectiveStamp(registry) {
             const def = registry.get(node.name);
             const attrs = node.attributes ?? {};
             const role = attrs.role || undefined;
-            const iconField = def?.attributes?.find((field) => field.type === 'icon');
+            const iconField = registry.iconField(node.name);
             const iconKey = iconField?.key ?? 'icon';
             let icon = attrs[iconKey] || undefined;
             if (!icon && role)

package/dist/sveltekit/content-routes.d.ts

@@ -8,11 +8,12 @@ export interface NavConcept {
     id: string;
     label: string;
 }
-/** The admin layout's data: site identity, the signed-in user, the nav, and the active path. */
+/** The admin layout's data: site identity, the signed-in user, the nav, the active path, and theme. */
 export interface LayoutData {
     siteName: string;
     user: {
         displayName: string;
+        email: string;
         role: Role;
     };
     concepts: NavConcept[];
@@ -20,6 +21,11 @@ export interface LayoutData {
     canManageEditors: boolean;
     /** The nav menu's label when the site configures one; gates the Navigation nav entry. Null otherwise. */
     navLabel: string | null;
+    /** The admin theme resolved for SSR: the persisted cookie choice, or the light default. */
+    theme: 'cairn-admin' | 'cairn-admin-dark';
+    /** The nav group labels the user has collapsed, from the persisted cookie. Read at SSR so a
+     *  collapsed group renders collapsed with no flash. Empty when none are collapsed. */
+    collapsedNav: string[];
 }
 /** One row in a concept's list view. */
 export interface EntrySummary {
@@ -72,6 +78,10 @@ export interface ContentEvent {
     platform?: {
         env?: GithubKeyEnv;
     };
+    /** SvelteKit's cookie jar; the layout load reads the persisted admin theme. Optional for non-route callers. */
+    cookies?: {
+        get(name: string): string | undefined;
+    };
 }
 /** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
 export interface ContentRoutesDeps {
@@ -86,6 +96,7 @@ export declare function createContentRoutes(runtime: CairnRuntime, deps?: Conten
     editLoad: (event: ContentEvent) => Promise<EditData>;
     saveAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     deleteAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
+    listDeleteAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     renameAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     mintToken: (env: GithubKeyEnv) => Promise<string>;
 };

package/dist/sveltekit/content-routes.js

@@ -29,16 +29,24 @@ function conceptOf(runtime, params) {
 }
 export function createContentRoutes(runtime, deps = {}) {
     const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
-    /** Layout load for every admin page: the nav, the user, and the active path. */
+    /** Layout load for every admin page: the nav, the user, the active path, and the resolved theme. */
     function layoutLoad(event) {
         const editor = sessionOf(event);
+        const cookieTheme = event.cookies?.get('cairn-admin-theme');
+        const theme = cookieTheme === 'cairn-admin-dark' ? 'cairn-admin-dark' : 'cairn-admin';
+        const cookieCollapsed = event.cookies?.get('cairn-admin-nav-collapsed');
+        const collapsedNav = cookieCollapsed
+            ? cookieCollapsed.split(',').map((part) => decodeURIComponent(part)).filter(Boolean)
+            : [];
         return {
             siteName: runtime.siteName,
-            user: { displayName: editor.displayName, role: editor.role },
+            user: { displayName: editor.displayName, email: editor.email, role: editor.role },
             concepts: runtime.concepts.map((c) => ({ id: c.id, label: c.label })),
             pathname: event.url.pathname,
             canManageEditors: editor.role === 'owner',
             navLabel: runtime.navMenu?.label ?? null,
+            theme,
+            collapsedNav,
         };
     }
     /** Redirect /admin to the first concept's list (spec §7.6: land on the first concept). */
@@ -251,15 +259,12 @@ export function createContentRoutes(runtime, deps = {}) {
         const savedQuery = draft.length ? `saved=1&drafts=${encodeURIComponent(draft.join(','))}` : 'saved=1';
         throw redirect(303, `/admin/${concept.id}/${id}?${savedQuery}`);
     }
-    /** Delete an entry. Block-until-clean: refuse while inbound links exist (naming them), else commit
-     *  the file removal and the manifest patch in one commit. The inbound recheck here is the
-     *  authoritative gate, closing the load-to-delete race. */
-    async function deleteAction(event) {
-        const editor = sessionOf(event);
-        const concept = conceptOf(runtime, event.params);
-        const id = event.params.id ?? '';
-        if (!isValidId(id))
-            throw error(400, 'Invalid entry id');
+    /** The shared delete core. Block-until-clean: refuse while inbound links exist (naming them), else
+     *  commit the file removal and the manifest patch in one commit. The inbound recheck here is the
+     *  authoritative gate, closing the load-to-delete race. Both the editor delete (id from params) and
+     *  the list delete (id from the form body) call this with an already-validated id, so the guard is
+     *  enforced once. */
+    async function deleteEntry(event, concept, id, editor) {
         const path = `${concept.dir}/${filenameFromId(id)}`;
         const token = await mintToken(event.platform?.env ?? {});
         // An absent manifest degrades the inbound gate to "allow": with no manifest there is nothing to
@@ -268,7 +273,7 @@ export function createContentRoutes(runtime, deps = {}) {
         const manifest = manifestRaw === null ? emptyManifest() : parseManifest(manifestRaw);
         const inbound = inboundLinks(manifest, concept.id, id);
         if (inbound.length) {
-            return fail(409, { inboundLinks: inbound });
+            return fail(409, { inboundLinks: inbound, id });
         }
         const nextManifest = serializeManifest(removeEntry(manifest, concept.id, id));
         try {
@@ -286,6 +291,25 @@ export function createContentRoutes(runtime, deps = {}) {
         }
         throw redirect(303, `/admin/${concept.id}`);
     }
+    /** Delete an entry from its editor. The id comes from the route param. */
+    async function deleteAction(event) {
+        const editor = sessionOf(event);
+        const concept = conceptOf(runtime, event.params);
+        const id = event.params.id ?? '';
+        if (!isValidId(id))
+            throw error(400, 'Invalid entry id');
+        return deleteEntry(event, concept, id, editor);
+    }
+    /** Delete an entry from the concept list. The id comes from the form body. */
+    async function listDeleteAction(event) {
+        const editor = sessionOf(event);
+        const concept = conceptOf(runtime, event.params);
+        const form = await event.request.formData();
+        const id = String(form.get('id') ?? '');
+        if (!isValidId(id))
+            throw error(400, 'Invalid entry id');
+        return deleteEntry(event, concept, id, editor);
+    }
     /** Rename an entry: change its slug, move the file, and rewrite every inbound cairn token in one
      *  atomic commit, so no internal link breaks. The collision check and the inbound recompute here
      *  are the authoritative gate. The same last-writer-wins manifest race as save and delete applies,
@@ -364,5 +388,5 @@ export function createContentRoutes(runtime, deps = {}) {
         }
         throw redirect(303, `/admin/${concept.id}/${newId}?renamed=1`);
     }
-    return { layoutLoad, indexRedirect, listLoad, createAction, editLoad, saveAction, deleteAction, renameAction, mintToken };
+    return { layoutLoad, indexRedirect, listLoad, createAction, editLoad, saveAction, deleteAction, listDeleteAction, renameAction, mintToken };
 }

package/dist/sveltekit/guard.js

@@ -4,6 +4,7 @@
 import { redirect, error } from '@sveltejs/kit';
 import { resolveSession } from '../auth/store.js';
 import { sessionCookieName } from '../auth/crypto.js';
+import { httpsRequiredPage } from './https-required-page.js';
 /** The login page and the auth endpoints are public; everything else under /admin is gated. */
 function isPublicAdminPath(pathname) {
     return pathname === '/admin/login' || pathname.startsWith('/admin/auth/');
@@ -11,6 +12,19 @@ function isPublicAdminPath(pathname) {
 function isAdminPath(pathname) {
     return pathname === '/admin' || pathname.startsWith('/admin/');
 }
+/**
+ * Local development (`wrangler dev`) legitimately speaks http; a deployed host does not. The hostname
+ * comes from the client `Host` header, so this is UX only: it decides whether to show the help page,
+ * never whether to grant access. The session gate below runs regardless. Do not make it an auth check.
+ */
+function isLocalHost(hostname) {
+    return (hostname === 'localhost' ||
+        hostname === '127.0.0.1' ||
+        hostname === '0.0.0.0' ||
+        hostname === '::1' ||
+        hostname === '[::1]' ||
+        hostname.endsWith('.localhost'));
+}
 /**
  * Attach the baseline security headers to an admin response. No full CSP; see the auth-hardening
  * design. frame-ancestors is the modern clickjacking control and the one CSP directive included.
@@ -23,12 +37,30 @@ function applySecurityHeaders(headers) {
     headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
     headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
 }
+/** The hardened 400 help page for a deployed admin request that arrived over http. */
+function httpsRequiredResponse(url) {
+    const httpsUrl = new URL(url);
+    httpsUrl.protocol = 'https:';
+    const headers = new Headers({
+        'Content-Type': 'text/html; charset=utf-8',
+        'Cache-Control': 'no-store',
+    });
+    applySecurityHeaders(headers);
+    return new Response(httpsRequiredPage(httpsUrl.toString()), { status: 400, headers });
+}
 /** The SvelteKit `Handle` that guards `/admin/**` and hardens admin responses. */
 export function createAuthGuard() {
     return async function handle({ event, resolve }) {
         const { pathname } = event.url;
         if (!isAdminPath(pathname))
             return resolve(event);
+        // A deployed admin request over http never works: the magic-link form POST would fail the
+        // framework's CSRF guard with an opaque 403. Serve the help page instead, before resolve()
+        // runs that check. This covers the public login/auth paths too, since that is where the form
+        // posts. Local http (wrangler dev) is exempt.
+        if (event.url.protocol === 'http:' && !isLocalHost(event.url.hostname)) {
+            return httpsRequiredResponse(event.url);
+        }
         if (!isPublicAdminPath(pathname)) {
             const env = event.platform?.env ?? {};
             const id = event.cookies.get(sessionCookieName(event.url.protocol === 'https:'));

package/dist/sveltekit/https-required-page.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Render the full HTML document for the HTTPS-required page.
+ * @param httpsUrl The same request rebuilt over https, offered as the one-click recovery link.
+ */
+export declare function httpsRequiredPage(httpsUrl: string): string;