@glw907/cairn-cms 0.3.0 → 0.4.0

package/README.md

@@ -13,12 +13,20 @@ sites with completely different markdown pipelines — e.g. [ecnordic.ski](https
 
 ## Status
 
-**Early (`0.1.x`) — works, API not yet frozen.** The core was built *inside ecnordic.ski first*
-(the richer proving ground) with the cairn-core ↔ site-adapter seams designed in from day one,
-then extracted into this package and validated on a second design (907.life). The auth, GitHub
-commit path, Carta preview, the adapter contract, and the shared admin shell (`/sveltekit`
-server logic + `/components` Svelte UI) all run on both sites. The adapter API may still change
-before `1.0` (pending a forward-compatibility review) — pin a caret range and expect 0.x churn.
+**`0.4.x` — auth on [better-auth](https://better-auth.com); API not yet frozen.** The core was
+built *inside ecnordic.ski first* (the richer proving ground) with the cairn-core ↔ site-adapter
+seams designed in from day one, then extracted into this package and validated on a second design
+(907.life). Editor auth runs on **better-auth (Cloudflare D1 + magic-link)** behind a scanner-safe
+**POST-confirm** flow, with two-tier `owner`/`editor` roles; the GitHub-App commit signer stays
+bespoke. The GitHub commit path, Carta preview, the adapter contract, and the shared admin shell
+(`/sveltekit` server logic + `/components` Svelte UI + `/auth`) all run on both sites. Pin a caret
+range and expect 0.x churn.
+
+> **Breaking in `0.4.0`** (from `0.3.x`): editor auth moved off the hand-rolled magic-link/KV/
+> signed-cookie stack onto better-auth. Each site now needs a **D1 binding** (`AUTH_DB`) +
+> committed migrations, an `AUTH_SECRET`, a `/api/auth/[...all]` catch-all + `/admin/auth/confirm`
+> shims, and the new `better-auth` + `drizzle-orm` peer deps. Magic links are now POST-confirm
+> (a confirm page, not a GET link).
 
 ## Install
 

package/dist/auth/admins.d.ts

@@ -0,0 +1,33 @@
+import type { Auth } from './config';
+import type { CairnUser } from './guard';
+export interface AdminsData {
+    admins: CairnUser[];
+    /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
+    self: string;
+    saved: boolean;
+    error: string | null;
+}
+/**
+ * The privilege-escalation gate. better-auth's admin API also enforces this server-side (only
+ * `owner` holds the admin statements), but checking `locals.user` here gives clean redirect/403
+ * UX and lets the mutations guard self-lockout before calling the API. Returns the acting owner.
+ */
+export declare function requireOwner(user: CairnUser | null): CairnUser;
+type Ev = {
+    locals: {
+        auth: Auth;
+        user: CairnUser | null;
+    };
+    request: Request;
+    url: URL;
+};
+/** List the allowlist for the manage-editors page. Owner-only. */
+export declare function adminsLoad(event: Ev): Promise<AdminsData>;
+/** Add an editor (create the user). Owner-only. */
+export declare function addAdmin(event: Ev): Promise<never>;
+/** Remove an editor (delete the user). Owner-only; owners can't remove themselves (anti-lockout). */
+export declare function removeAdmin(event: Ev): Promise<never>;
+/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
+export declare function setAdminRole(event: Ev): Promise<never>;
+export {};
+//# sourceMappingURL=admins.d.ts.map

package/dist/auth/admins.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admins.d.ts","sourceRoot":"","sources":["../../src/lib/auth/admins.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,SAAS,EAAE,CAAC;IACpB,+EAA+E;IAC/E,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAID;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAI9D;AAED,KAAK,EAAE,GAAG;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAAA;KAAE,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AAgBzF,kEAAkE;AAClE,wBAAsB,UAAU,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAa/D;AAED,mDAAmD;AACnD,wBAAsB,QAAQ,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAYxD;AAED,qGAAqG;AACrG,wBAAsB,WAAW,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAW3D;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAc5D"}

package/dist/auth/admins.js

@@ -0,0 +1,90 @@
+// cairn-core: owner-gated editor management, on better-auth's admin API. The `user` table IS
+// the allowlist (disableSignUp ⇒ only listed emails can sign in), so add/remove editor = create/
+// remove user; role flips go through the admin plugin's access-control roles (owner/editor).
+// These run as SvelteKit form actions; each verifies the acting user is an owner first.
+import { redirect, error } from '@sveltejs/kit';
+const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
+/**
+ * The privilege-escalation gate. better-auth's admin API also enforces this server-side (only
+ * `owner` holds the admin statements), but checking `locals.user` here gives clean redirect/403
+ * UX and lets the mutations guard self-lockout before calling the API. Returns the acting owner.
+ */
+export function requireOwner(user) {
+    if (!user)
+        throw error(401, 'Not signed in');
+    if (user.role !== 'owner')
+        throw error(403, 'Owner access required');
+    return user;
+}
+function asCairnUser(u) {
+    return { id: u.id, email: u.email, name: u.name, role: u.role === 'owner' ? 'owner' : 'editor' };
+}
+/** Find an editor by exact (lowercased) email, or undefined. */
+async function findByEmail(event, email) {
+    const res = await event.locals.auth.api.listUsers({
+        query: { searchValue: email, searchField: 'email', limit: 100 },
+        headers: event.request.headers,
+    });
+    const match = (res.users ?? []).find((u) => u.email.toLowerCase() === email);
+    return match ? asCairnUser(match) : undefined;
+}
+/** List the allowlist for the manage-editors page. Owner-only. */
+export async function adminsLoad(event) {
+    const owner = requireOwner(event.locals.user);
+    const res = await event.locals.auth.api.listUsers({
+        query: { limit: 200 },
+        headers: event.request.headers,
+    });
+    const admins = (res.users ?? []).map(asCairnUser).sort((a, b) => a.email.localeCompare(b.email));
+    return {
+        admins,
+        self: owner.email,
+        saved: event.url.searchParams.get('saved') === '1',
+        error: event.url.searchParams.get('error'),
+    };
+}
+/** Add an editor (create the user). Owner-only. */
+export async function addAdmin(event) {
+    requireOwner(event.locals.user);
+    const form = await event.request.formData();
+    const email = String(form.get('email') ?? '').trim().toLowerCase();
+    const name = String(form.get('name') ?? '').trim();
+    const role = form.get('role') === 'owner' ? 'owner' : 'editor';
+    if (!EMAIL_RE.test(email) || !name) {
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
+    }
+    // No password: a magic-link-only user (no credential account), per better-auth's createUser.
+    await event.locals.auth.api.createUser({ body: { email, name, role }, headers: event.request.headers });
+    throw redirect(303, '/admin/admins?saved=1');
+}
+/** Remove an editor (delete the user). Owner-only; owners can't remove themselves (anti-lockout). */
+export async function removeAdmin(event) {
+    const owner = requireOwner(event.locals.user);
+    const form = await event.request.formData();
+    const email = String(form.get('email') ?? '').trim().toLowerCase();
+    if (email === owner.email) {
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
+    }
+    const target = await findByEmail(event, email);
+    if (!target)
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
+    await event.locals.auth.api.removeUser({ body: { userId: target.id }, headers: event.request.headers });
+    throw redirect(303, '/admin/admins?saved=1');
+}
+/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
+export async function setAdminRole(event) {
+    const owner = requireOwner(event.locals.user);
+    const form = await event.request.formData();
+    const email = String(form.get('email') ?? '').trim().toLowerCase();
+    const role = form.get('role') === 'owner' ? 'owner' : 'editor';
+    if (email === owner.email && role !== 'owner') {
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
+    }
+    const target = await findByEmail(event, email);
+    if (!target)
+        throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
+    await event.locals.auth.api.setRole({ body: { userId: target.id, role }, headers: event.request.headers });
+    // M3: revoke a demoted editor's live sessions so the privilege drop takes effect immediately.
+    await event.locals.auth.api.revokeUserSessions({ body: { userId: target.id }, headers: event.request.headers });
+    throw redirect(303, '/admin/admins?saved=1');
+}