@glw907/cairn-cms 0.3.0 → 0.4.0

package/src/lib/sveltekit/index.ts

@@ -1,41 +1,22 @@
-// cairn-core: the SvelteKit route server logic, extracted so each site's `admin/**` route
-// files are thin shims (`export const load = (event) => editLoad(event, cairn)`).
+// cairn-core: the SvelteKit content-route server logic, extracted so each site's `admin/**`
+// route files are thin shims (`export const load = (event) => editLoad(event, cairn)`).
 //
 // SvelteKit's filesystem routing requires the route *files* to live in each site's
 // `src/routes/`, but their bodies are identical across sites — only the adapter differs.
 // These functions take the SvelteKit event (typed structurally, to avoid depending on the
 // site-generated `App.*` ambient types) plus the site `CairnAdapter`, and throw
-// `redirect`/`error` from `@sveltejs/kit`. That `@sveltejs/kit` is a peer dependency so the
-// thrown objects share class identity with the host's runtime (else the redirect 500s).
-import { redirect, error, type Cookies } from '@sveltejs/kit';
-import type { KVNamespace } from '@cloudflare/workers-types';
+// `redirect`/`error` from `@sveltejs/kit` (a peer dependency, so the thrown objects share
+// class identity with the host's runtime — else the redirect 500s). Auth/session/manage-editors
+// logic lives under `@glw907/cairn-cms/auth`; this module is content-only (list/edit/save).
+import { redirect, error } from '@sveltejs/kit';
 import matter from 'gray-matter';
-import {
-  createMagicLink,
-  redeemMagicToken,
-  createSession,
-  lookupEditor,
-  listEditors,
-  setEditor,
-  removeEditor,
-  SESSION_COOKIE,
-  SESSION_MAX_AGE,
-  type Editor,
-  type Role,
-} from '../auth';
-import { sendMagicLink, type EmailSender } from '../email';
+import type { CairnUser } from '../auth/guard';
 import { listMarkdown, readRaw, commitFile, installationToken, type RepoFile } from '../github';
 import { serializeMarkdown } from '../content';
 import { findCollection, frontmatterFromForm, type CairnAdapter, type CairnField } from '../adapter';
 
-/** The `platform.env` bindings the admin routes read. All optional — the handlers guard. */
+/** The `platform.env` bindings the content routes read. All optional — the handlers guard. */
 export interface AdminEnv {
-  AUTH_KV?: KVNamespace;
-  MAGIC_LINK_SECRET?: string;
-  SESSION_SECRET?: string;
-  EMAIL?: EmailSender;
-  /** Overrides `url.origin` for the magic-link base (set in dev, unset in prod). */
-  PUBLIC_ORIGIN?: string;
   GITHUB_APP_ID?: string;
   GITHUB_APP_INSTALLATION_ID?: string;
   GITHUB_APP_PRIVATE_KEY_B64?: string;
@@ -45,12 +26,33 @@ interface PlatformEvent {
   platform?: { env?: AdminEnv };
 }
 
-const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
+/**
+ * Mint a GitHub App installation token for *reads* when the App is configured, else undefined
+ * (reads then fall back to anonymous). Authenticated reads get the 5000/hr limit; anonymous
+ * reads share GitHub's 60/hr-per-IP budget across Cloudflare's egress IPs, so they 403 in prod.
+ * A mint failure degrades gracefully to anonymous rather than 500ing — unlike the commit path,
+ * where a missing App is fatal, a read can still succeed unauthenticated.
+ */
+async function readToken(env: AdminEnv | undefined): Promise<string | undefined> {
+  if (!env?.GITHUB_APP_ID || !env.GITHUB_APP_INSTALLATION_ID || !env.GITHUB_APP_PRIVATE_KEY_B64) {
+    return undefined;
+  }
+  try {
+    return await installationToken({
+      appId: env.GITHUB_APP_ID,
+      installationId: env.GITHUB_APP_INSTALLATION_ID,
+      privateKeyB64: env.GITHUB_APP_PRIVATE_KEY_B64,
+    });
+  } catch (err) {
+    console.error('read token mint failed; falling back to anonymous read:', err);
+    return undefined;
+  }
+}
 
 // ── /admin layout ──────────────────────────────────────────────────────────
 
 export interface AdminLayoutData {
-  editor: Editor | null;
+  user: CairnUser | null;
   siteName: string;
   pathname: string;
 }
@@ -63,10 +65,10 @@ export interface AdminLayoutData {
  * package); reading `event.url` here also opts the layout load into rerunning on navigation.
  */
 export function adminLayoutLoad(
-  event: { locals: { editor: Editor | null }; url: URL },
+  event: { locals: { user: CairnUser | null }; url: URL },
   adapter: CairnAdapter,
 ): AdminLayoutData {
-  return { editor: event.locals.editor, siteName: adapter.siteName, pathname: event.url.pathname };
+  return { user: event.locals.user, siteName: adapter.siteName, pathname: event.url.pathname };
 }
 
 // ── /admin (content list) ────────────────────────────────────────────────────
@@ -79,11 +81,15 @@ export interface AdminCollectionList {
 }
 
 /** List every collection's markdown files. A failed listing degrades to an inline error. */
-export async function adminListLoad(adapter: CairnAdapter): Promise<{ collections: AdminCollectionList[] }> {
+export async function adminListLoad(
+  event: PlatformEvent,
+  adapter: CairnAdapter,
+): Promise<{ collections: AdminCollectionList[] }> {
+  const token = await readToken(event.platform?.env);
   const collections = await Promise.all(
     adapter.collections.map(async ({ type, label, dir }): Promise<AdminCollectionList> => {
       try {
-        return { type, label, files: await listMarkdown(adapter.backend, dir) };
+        return { type, label, files: await listMarkdown(adapter.backend, dir, token) };
       } catch (err) {
         // A failed listing (rate limit, network) shouldn't 500 the whole admin.
         return { type, label, files: [], error: err instanceof Error ? err.message : 'Failed to load' };
@@ -93,20 +99,6 @@ export async function adminListLoad(adapter: CairnAdapter): Promise<{ collection
   return { collections };
 }
 
-// ── /admin/login ──────────────────────────────────────────────────────────────
-
-export interface LoginData {
-  sent: boolean;
-  error: string | null;
-}
-
-export function loginLoad(event: { url: URL }): LoginData {
-  return {
-    sent: event.url.searchParams.get('sent') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
-
 // ── /admin/edit/[type]/[id] ─────────────────────────────────────────────────
 
 export interface EditData {
@@ -123,15 +115,15 @@ export interface EditData {
 }
 
 export async function editLoad(
-  event: { params: { type: string; id: string }; url: URL },
+  event: PlatformEvent & { params: { type: string; id: string }; url: URL },
   adapter: CairnAdapter,
 ): Promise<EditData> {
   const collection = findCollection(adapter, event.params.type);
   if (!collection) throw error(404, 'Unknown collection');
 
-  // Anonymous read — repos are public; the GitHub App token is commit-only (see saveCommit).
+  const token = await readToken(event.platform?.env);
   const path = `${collection.dir}/${event.params.id}.md`;
-  const raw = await readRaw(adapter.backend, path);
+  const raw = await readRaw(adapter.backend, path, token);
   if (raw === null) throw error(404, 'Content not found');
 
   // Split frontmatter from body server-side; the editor form binds to the frontmatter and
@@ -152,92 +144,14 @@ export async function editLoad(
   };
 }
 
-// ── /admin/auth/request (POST) ──────────────────────────────────────────────
-
-export async function authRequest(
-  event: PlatformEvent & { request: Request; url: URL },
-  adapter: CairnAdapter,
-): Promise<never> {
-  const env = event.platform?.env;
-  if (!env?.AUTH_KV || !env.MAGIC_LINK_SECRET || !env.EMAIL) {
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  if (!EMAIL_RE.test(email)) {
-    throw redirect(303, '/admin/login?error=invalid');
-  }
-
-  const editor = await lookupEditor(email, env.AUTH_KV);
-  if (!editor) {
-    throw redirect(303, '/admin/login?error=denied');
-  }
-
-  const token = await createMagicLink(email, env.MAGIC_LINK_SECRET, env.AUTH_KV);
-  // PUBLIC_ORIGIN overrides url.origin for local dev (where wrangler's custom-domain
-  // route makes url.origin the production host); unset in prod → url.origin is correct.
-  const origin = env.PUBLIC_ORIGIN || event.url.origin;
-  const link = `${origin}/admin/auth/callback?token=${encodeURIComponent(token)}`;
-  try {
-    await sendMagicLink(env.EMAIL, email, link, adapter.siteName, adapter.sender);
-  } catch (err) {
-    console.error('magic-link send failed:', err);
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  throw redirect(303, '/admin/login?sent=1');
-}
-
-// ── /admin/auth/callback (GET) ──────────────────────────────────────────────
-
-export async function authCallback(
-  event: PlatformEvent & { url: URL; cookies: Cookies },
-): Promise<never> {
-  const env = event.platform?.env;
-  if (!env?.AUTH_KV || !env.MAGIC_LINK_SECRET || !env.SESSION_SECRET) {
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  const token = event.url.searchParams.get('token') ?? '';
-  const email = await redeemMagicToken(token, env.MAGIC_LINK_SECRET, env.AUTH_KV);
-  if (!email) {
-    throw redirect(303, '/admin/login?error=expired');
-  }
-
-  // Re-check the allowlist at redemption — membership may have changed since issue.
-  const editor = await lookupEditor(email, env.AUTH_KV);
-  if (!editor) {
-    throw redirect(303, '/admin/login?error=denied');
-  }
-
-  const session = await createSession(editor, env.SESSION_SECRET);
-  event.cookies.set(SESSION_COOKIE, session, {
-    path: '/',
-    httpOnly: true,
-    secure: event.url.protocol === 'https:',
-    sameSite: 'lax',
-    maxAge: SESSION_MAX_AGE,
-  });
-
-  throw redirect(303, '/admin');
-}
-
-// ── /admin/auth/logout (POST) ───────────────────────────────────────────────
-
-export function logout(event: { cookies: Cookies }): never {
-  event.cookies.delete(SESSION_COOKIE, { path: '/' });
-  throw redirect(303, '/admin/login');
-}
-
 // ── /admin/save (POST) ──────────────────────────────────────────────────────
 
 export async function saveCommit(
-  event: PlatformEvent & { request: Request; locals: { editor: Editor | null } },
+  event: PlatformEvent & { request: Request; locals: { user: CairnUser | null } },
   adapter: CairnAdapter,
 ): Promise<never> {
-  const editor = event.locals.editor;
-  if (!editor) throw error(401, 'Not signed in');
+  const user = event.locals.user;
+  if (!user) throw error(401, 'Not signed in');
 
   const env = event.platform?.env;
   if (!env?.GITHUB_APP_ID || !env.GITHUB_APP_INSTALLATION_ID || !env.GITHUB_APP_PRIVATE_KEY_B64) {
@@ -272,105 +186,9 @@ export async function saveCommit(
     adapter.backend,
     `${collection.dir}/${id}.md`,
     markdown,
-    { message: `Update ${collection.label.toLowerCase()}: ${id}`, author: { name: editor.name, email: editor.email } },
+    { message: `Update ${collection.label.toLowerCase()}: ${id}`, author: { name: user.name, email: user.email } },
     token,
   );
 
   throw redirect(303, `/admin/edit/${type}/${id}?saved=1`);
 }
-
-// ── /admin/admins (owner-gated editor management) ────────────────────────────
-
-/**
- * The privilege-escalation gate for the manage-admins surface: only `owner`s may load it or
- * run its actions. Returns the acting owner (so callers can guard self-targeted mutations).
- */
-function requireOwner(event: { locals: { editor: Editor | null } }): Editor {
-  const editor = event.locals.editor;
-  if (!editor) throw error(401, 'Not signed in');
-  if (editor.role !== 'owner') throw error(403, 'Owner access required');
-  return editor;
-}
-
-/** Resolve AUTH_KV or fail loudly — the management surface is useless without it. */
-function ownerKv(event: PlatformEvent): KVNamespace {
-  const kv = event.platform?.env?.AUTH_KV;
-  if (!kv) throw error(500, 'Editor allowlist is not configured');
-  return kv;
-}
-
-export interface AdminsData {
-  admins: Editor[];
-  /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
-  self: string;
-  saved: boolean;
-  error: string | null;
-}
-
-/** List the allowlist for the manage-admins page. Owner-only. */
-export async function adminsLoad(
-  event: PlatformEvent & { locals: { editor: Editor | null }; url: URL },
-): Promise<AdminsData> {
-  const owner = requireOwner(event);
-  const admins = await listEditors(ownerKv(event));
-  return {
-    admins,
-    self: owner.email,
-    saved: event.url.searchParams.get('saved') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
-
-type AdminsActionEvent = PlatformEvent & {
-  request: Request;
-  locals: { editor: Editor | null };
-};
-
-function parseRole(value: unknown): Role {
-  return value === 'owner' ? 'owner' : 'editor';
-}
-
-/** Add (or update) an allowlist entry. Owner-only. */
-export async function addAdmin(event: AdminsActionEvent): Promise<never> {
-  requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const name = String(form.get('name') ?? '').trim();
-  if (!EMAIL_RE.test(email) || !name) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
-  }
-  await setEditor(email, name, parseRole(form.get('role')), kv);
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Remove an allowlist entry. Owner-only; owners can't remove themselves (anti-lockout). */
-export async function removeAdmin(event: AdminsActionEvent): Promise<never> {
-  const owner = requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  if (email === owner.email) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
-  }
-  await removeEditor(email, kv);
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export async function setAdminRole(event: AdminsActionEvent): Promise<never> {
-  const owner = requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const role = parseRole(form.get('role'));
-  if (email === owner.email && role !== 'owner') {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
-  }
-  const existing = await lookupEditor(email, kv);
-  if (!existing) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-  }
-  await setEditor(email, existing.name, role, kv);
-  throw redirect(303, '/admin/admins?saved=1');
-}

package/dist/auth.d.ts

@@ -1,25 +0,0 @@
-import type { KVNamespace } from '@cloudflare/workers-types';
-/** Two-tier, per-site role. `owner`s manage the editor allowlist; `editor`s only edit content. */
-export type Role = 'owner' | 'editor';
-export interface Editor {
-    email: string;
-    name: string;
-    role: Role;
-}
-export declare const SESSION_COOKIE = "cairn_session";
-export declare const SESSION_MAX_AGE: number;
-/** Issue a single-use magic-link token and register its nonce in KV with a TTL. */
-export declare function createMagicLink(email: string, secret: string, kv: KVNamespace): Promise<string>;
-/** Redeem a magic-link token: verify, check expiry, then consume the KV nonce (single use). */
-export declare function redeemMagicToken(token: string, secret: string, kv: KVNamespace): Promise<string | null>;
-export declare function createSession(editor: Editor, secret: string): Promise<string>;
-export declare function verifySession(token: string, secret: string): Promise<Editor | null>;
-/** Look up an editor in the KV allowlist (`editor:<email>` → `{name, role}`). */
-export declare function lookupEditor(email: string, kv: KVNamespace): Promise<Editor | null>;
-/** Every allowlisted editor, sorted by email — the manage-admins list. */
-export declare function listEditors(kv: KVNamespace): Promise<Editor[]>;
-/** Add or update an allowlist entry (JSON value). Email is normalized. */
-export declare function setEditor(email: string, name: string, role: Role, kv: KVNamespace): Promise<void>;
-/** Remove an allowlist entry. */
-export declare function removeEditor(email: string, kv: KVNamespace): Promise<void>;
-//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAG7D,kGAAkG;AAClG,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEtC,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,eAAO,MAAM,cAAc,kBAAkB,CAAC;AAK9C,eAAO,MAAM,eAAe,QAAsB,CAAC;AA8DnD,mFAAmF;AACnF,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED,+FAA+F;AAC/F,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAOxB;AAMD,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnF;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF;AAyBD,iFAAiF;AACjF,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF;AAED,0EAA0E;AAC1E,wBAAsB,WAAW,CAAC,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CASpE;AAED,0EAA0E;AAC1E,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,IAAI,EACV,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,IAAI,CAAC,CAEf;AAED,iCAAiC;AACjC,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAEhF"}

package/dist/auth.js

@@ -1,132 +0,0 @@
-// cairn-core: magic-link auth + signed sessions.
-//
-// Generic across sites — no ecnordic specifics here. Crypto is Web Crypto (HMAC-SHA256)
-// so it runs unchanged on Cloudflare Workers under nodejs_compat. Single-use enforcement
-// for magic links rides on a KV nonce; signature + expiry are self-contained in the token.
-import { bytesToB64url } from './utils';
-export const SESSION_COOKIE = 'cairn_session';
-const MAGIC_TTL_SECONDS = 600; // 10 minutes
-const SESSION_TTL_SECONDS = 60 * 60 * 24 * 7; // 7 days
-export const SESSION_MAX_AGE = SESSION_TTL_SECONDS;
-const encoder = new TextEncoder();
-const decoder = new TextDecoder();
-function b64urlToBytes(value) {
-    const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
-    const padded = normalized + '='.repeat((4 - (normalized.length % 4)) % 4);
-    return Uint8Array.from(atob(padded), (c) => c.charCodeAt(0));
-}
-// TextEncoder/atob produce Uint8Arrays whose generic buffer type no longer satisfies
-// Web Crypto's BufferSource under strict lib types; hand the underlying ArrayBuffer over.
-function buf(bytes) {
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-async function hmacKey(secret) {
-    return crypto.subtle.importKey('raw', buf(encoder.encode(secret)), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign', 'verify']);
-}
-/** Sign an arbitrary JSON payload as `<base64url(payload)>.<base64url(hmac)>`. */
-async function signToken(data, secret) {
-    const payload = bytesToB64url(encoder.encode(JSON.stringify(data)));
-    const key = await hmacKey(secret);
-    const sig = await crypto.subtle.sign('HMAC', key, buf(encoder.encode(payload)));
-    return `${payload}.${bytesToB64url(new Uint8Array(sig))}`;
-}
-/** Verify signature (constant-time via subtle.verify) and parse the payload, or null. */
-async function verifyToken(token, secret) {
-    const dot = token.indexOf('.');
-    if (dot < 0)
-        return null;
-    const payload = token.slice(0, dot);
-    const sig = token.slice(dot + 1);
-    const key = await hmacKey(secret);
-    let ok = false;
-    try {
-        ok = await crypto.subtle.verify('HMAC', key, buf(b64urlToBytes(sig)), buf(encoder.encode(payload)));
-    }
-    catch {
-        return null;
-    }
-    if (!ok)
-        return null;
-    try {
-        return JSON.parse(decoder.decode(b64urlToBytes(payload)));
-    }
-    catch {
-        return null;
-    }
-}
-/** Issue a single-use magic-link token and register its nonce in KV with a TTL. */
-export async function createMagicLink(email, secret, kv) {
-    const nonce = bytesToB64url(crypto.getRandomValues(new Uint8Array(16)));
-    const exp = Date.now() + MAGIC_TTL_SECONDS * 1000;
-    const token = await signToken({ email, exp, nonce }, secret);
-    await kv.put(`ml:${nonce}`, email, { expirationTtl: MAGIC_TTL_SECONDS });
-    return token;
-}
-/** Redeem a magic-link token: verify, check expiry, then consume the KV nonce (single use). */
-export async function redeemMagicToken(token, secret, kv) {
-    const payload = await verifyToken(token, secret);
-    if (!payload || Date.now() > payload.exp)
-        return null;
-    const stored = await kv.get(`ml:${payload.nonce}`);
-    if (stored !== payload.email)
-        return null;
-    await kv.delete(`ml:${payload.nonce}`); // burn it — single use
-    return payload.email;
-}
-export async function createSession(editor, secret) {
-    const exp = Date.now() + SESSION_TTL_SECONDS * 1000;
-    return signToken({ ...editor, exp }, secret);
-}
-export async function verifySession(token, secret) {
-    const payload = await verifyToken(token, secret);
-    if (!payload || Date.now() > payload.exp)
-        return null;
-    // Sessions signed before roles existed carry no `role` — treat them as plain editors.
-    return { email: payload.email, name: payload.name, role: payload.role ?? 'editor' };
-}
-const KEY_PREFIX = 'editor:';
-/**
- * Decode a stored allowlist value into name + role. Current entries are JSON
- * (`{"name","role"}`); legacy entries are a bare display-name string, read as `editor`
- * so the allowlist migrates lazily — re-saving an entry upgrades it to the JSON shape.
- */
-function parseEditorValue(raw) {
-    try {
-        const parsed = JSON.parse(raw);
-        if (parsed && typeof parsed.name === 'string') {
-            return { name: parsed.name, role: parsed.role === 'owner' ? 'owner' : 'editor' };
-        }
-    }
-    catch {
-        // Not JSON — legacy bare display-name; treat as editor.
-    }
-    return { name: raw, role: 'editor' };
-}
-function serializeEditorValue(name, role) {
-    return JSON.stringify({ name, role });
-}
-/** Look up an editor in the KV allowlist (`editor:<email>` → `{name, role}`). */
-export async function lookupEditor(email, kv) {
-    const normalized = email.trim().toLowerCase();
-    const raw = await kv.get(`${KEY_PREFIX}${normalized}`);
-    if (raw === null)
-        return null;
-    return { email: normalized, ...parseEditorValue(raw) };
-}
-/** Every allowlisted editor, sorted by email — the manage-admins list. */
-export async function listEditors(kv) {
-    const { keys } = await kv.list({ prefix: KEY_PREFIX });
-    const editors = await Promise.all(keys.map(async ({ name: key }) => {
-        const raw = (await kv.get(key)) ?? '';
-        return { email: key.slice(KEY_PREFIX.length), ...parseEditorValue(raw) };
-    }));
-    return editors.sort((a, b) => a.email.localeCompare(b.email));
-}
-/** Add or update an allowlist entry (JSON value). Email is normalized. */
-export async function setEditor(email, name, role, kv) {
-    await kv.put(`${KEY_PREFIX}${email.trim().toLowerCase()}`, serializeEditorValue(name, role));
-}
-/** Remove an allowlist entry. */
-export async function removeEditor(email, kv) {
-    await kv.delete(`${KEY_PREFIX}${email.trim().toLowerCase()}`);
-}