@glw907/cairn-cms 0.3.1 → 0.4.0

package/dist/auth/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/lib/auth/schema.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAmBf,CAAC;AAEH,eAAO,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoBnB,CAAC;AAEF,eAAO,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA4BnB,CAAC;AAEF,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgBxB,CAAC;AAEF,eAAO,MAAM,aAAa;;;EAGvB,CAAC;AAEJ,eAAO,MAAM,gBAAgB;;EAK1B,CAAC;AAEJ,eAAO,MAAM,gBAAgB;;EAK1B,CAAC"}

package/dist/auth/schema.js

@@ -0,0 +1,93 @@
+import { relations, sql } from "drizzle-orm";
+import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
+export const user = sqliteTable("user", {
+    id: text("id").primaryKey(),
+    name: text("name").notNull(),
+    email: text("email").notNull().unique(),
+    emailVerified: integer("email_verified", { mode: "boolean" })
+        .default(false)
+        .notNull(),
+    image: text("image"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .$onUpdate(() => /* @__PURE__ */ new Date())
+        .notNull(),
+    role: text("role"),
+    banned: integer("banned", { mode: "boolean" }).default(false),
+    banReason: text("ban_reason"),
+    banExpires: integer("ban_expires", { mode: "timestamp_ms" }),
+});
+export const session = sqliteTable("session", {
+    id: text("id").primaryKey(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+        .$onUpdate(() => /* @__PURE__ */ new Date())
+        .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+        .notNull()
+        .references(() => user.id, { onDelete: "cascade" }),
+    impersonatedBy: text("impersonated_by"),
+}, (table) => [index("session_userId_idx").on(table.userId)]);
+export const account = sqliteTable("account", {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+        .notNull()
+        .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: integer("access_token_expires_at", {
+        mode: "timestamp_ms",
+    }),
+    refreshTokenExpiresAt: integer("refresh_token_expires_at", {
+        mode: "timestamp_ms",
+    }),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+        .$onUpdate(() => /* @__PURE__ */ new Date())
+        .notNull(),
+}, (table) => [index("account_userId_idx").on(table.userId)]);
+export const verification = sqliteTable("verification", {
+    id: text("id").primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .$onUpdate(() => /* @__PURE__ */ new Date())
+        .notNull(),
+}, (table) => [index("verification_identifier_idx").on(table.identifier)]);
+export const userRelations = relations(user, ({ many }) => ({
+    sessions: many(session),
+    accounts: many(account),
+}));
+export const sessionRelations = relations(session, ({ one }) => ({
+    user: one(user, {
+        fields: [session.userId],
+        references: [user.id],
+    }),
+}));
+export const accountRelations = relations(account, ({ one }) => ({
+    user: one(user, {
+        fields: [account.userId],
+        references: [user.id],
+    }),
+}));

package/dist/components/AdminLayout.svelte

@@ -7,13 +7,13 @@
   // (the login page lives under this layout) it falls back to a minimal centered shell.
   // Each site's `admin/+layout.svelte` is a one-line shim that forwards `data` + `children`.
   import type { Snippet } from 'svelte';
-  import type { Editor } from '../auth';
+  import type { CairnUser } from '../auth';
 
   let {
     data,
     children,
   }: {
-    data: { siteName: string; editor: Editor | null; pathname: string };
+    data: { siteName: string; user: CairnUser | null; pathname: string };
     children: Snippet;
   } = $props();
 
@@ -41,7 +41,7 @@
       active: data.pathname.startsWith('/admin/admins'),
     },
   ]);
-  const visibleNav = $derived(nav.filter((item) => !item.owner || data.editor?.role === 'owner'));
+  const visibleNav = $derived(nav.filter((item) => !item.owner || data.user?.role === 'owner'));
 
   // Close the slide-over after a nav tap on mobile (no-op on desktop where it's pinned open).
   function closeDrawer(): void {
@@ -68,7 +68,7 @@
   <meta name="robots" content="noindex, nofollow" />
 </svelte:head>
 
-{#if data.editor}
+{#if data.user}
   <div class="drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
     <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
 
@@ -111,8 +111,8 @@
         </ul>
 
         <div class="border-t border-base-300 p-4">
-          <p class="text-sm font-medium">{data.editor.name}</p>
-          <p class="text-xs opacity-60">{data.editor.email}</p>
+          <p class="text-sm font-medium">{data.user.name}</p>
+          <p class="text-xs opacity-60">{data.user.email}</p>
           <form method="POST" action="/admin/auth/logout" class="mt-3">
             <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">Sign out</button>
           </form>

package/dist/components/AdminLayout.svelte.d.ts

@@ -1,9 +1,9 @@
 import type { Snippet } from 'svelte';
-import type { Editor } from '../auth';
+import type { CairnUser } from '../auth';
 type $$ComponentProps = {
     data: {
         siteName: string;
-        editor: Editor | null;
+        user: CairnUser | null;
         pathname: string;
     };
     children: Snippet;

package/dist/components/AdminLayout.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAWrC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACpE,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAyHJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}
+{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAWxC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACrE,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAyHJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/ConfirmPage.svelte

@@ -0,0 +1,31 @@
+<script lang="ts">
+  // The scanner-safe confirm surface (C2). A GET renders this static page — nothing is consumed.
+  // The token rides in a hidden field; only the explicit form POST (the route's default action →
+  // confirmSignIn) verifies it. Mail scanners GET URLs but don't submit forms, so prefetch can't
+  // burn the link. JS-free by design.
+  interface Props {
+    data: { token: string; siteName: string; error: string | null };
+  }
+  let { data }: Props = $props();
+</script>
+
+<svelte:head>
+  <title>Confirm sign-in · {data.siteName} CMS</title>
+</svelte:head>
+
+<div class="mx-auto mt-16 max-w-md rounded-box border border-base-300 bg-base-100 p-8">
+  <h1 class="text-2xl font-bold">Confirm sign-in</h1>
+  <p class="mt-1 text-sm opacity-70">to {data.siteName} CMS</p>
+
+  {#if data.error || !data.token}
+    <div class="alert alert-error mt-6">
+      <span>This sign-in link is invalid or expired. Request a new one.</span>
+    </div>
+    <a href="/admin/login" class="btn btn-primary mt-6">Back to sign-in</a>
+  {:else}
+    <form method="POST" class="mt-6 flex flex-col gap-3">
+      <input type="hidden" name="token" value={data.token} />
+      <button type="submit" class="btn btn-primary">Confirm sign-in</button>
+    </form>
+  {/if}
+</div>

package/dist/components/ConfirmPage.svelte.d.ts

@@ -0,0 +1,11 @@
+interface Props {
+    data: {
+        token: string;
+        siteName: string;
+        error: string | null;
+    };
+}
+declare const ConfirmPage: import("svelte").Component<Props, {}, "">;
+type ConfirmPage = ReturnType<typeof ConfirmPage>;
+export default ConfirmPage;
+//# sourceMappingURL=ConfirmPage.svelte.d.ts.map

package/dist/components/ConfirmPage.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConfirmPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ConfirmPage.svelte.ts"],"names":[],"mappings":"AAOE,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;CACjE;AA6BH,QAAA,MAAM,WAAW,2CAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/LoginPage.svelte

@@ -1,17 +1,33 @@
 <script lang="ts">
-  // The magic-link sign-in page. Posts the email to /admin/auth/request; `sent`/`error` come
-  // from `loginLoad` (querystring) merged with `adminLayoutLoad` (siteName).
+  // The magic-link sign-in page. Requests a link via the better-auth client (client-side, same
+  // origin). To avoid enumeration the UI shows the SAME neutral copy whether or not the email is
+  // on the allowlist — the server only emails actual editors (see auth/config.ts send gate).
+  import { createAuthClient } from 'better-auth/svelte';
+  import { magicLinkClient } from 'better-auth/client/plugins';
+
+  // The browser client lives in the one component that needs it (requesting a link). Sign-out
+  // and editor management go through server endpoints, so no shared client module is needed —
+  // and a component-local const keeps better-auth's deep client types out of the packaged .d.ts.
+  const authClient = createAuthClient({ plugins: [magicLinkClient()] });
+
   interface Props {
-    data: { siteName: string; sent: boolean; error: string | null };
+    data: { siteName: string };
   }
   let { data }: Props = $props();
 
-  const errorMessages: Record<string, string> = {
-    invalid: 'Please enter a valid email address.',
-    denied: 'That email is not on the editor allowlist.',
-    expired: 'That sign-in link has expired or was already used. Request a new one.',
-    config: 'Sign-in is not configured. Contact the site admin.',
-  };
+  let email = $state('');
+  let requested = $state(false);
+  let busy = $state(false);
+
+  async function request(event: SubmitEvent) {
+    event.preventDefault();
+    busy = true;
+    // The magic-link email points at our /admin/auth/confirm page (built in config.ts), not a
+    // GET-verify URL — so the result is the same regardless of allowlist membership.
+    await authClient.signIn.magicLink({ email });
+    busy = false;
+    requested = true;
+  }
 </script>
 
 <svelte:head>
@@ -22,26 +38,27 @@
   <h1 class="text-2xl font-bold">{data.siteName} CMS</h1>
   <p class="mt-1 text-sm opacity-70">Sign in with your editor email.</p>
 
-  {#if data.sent}
+  {#if requested}
     <div class="alert alert-success mt-6">
-      <span>Check your inbox — a sign-in link is on its way. It expires in 10 minutes.</span>
+      <span>
+        If that address is on the editor list, a sign-in link is on its way. It expires in 10
+        minutes.
+      </span>
     </div>
   {:else}
-    {#if data.error}
-      <div class="alert alert-error mt-6">
-        <span>{errorMessages[data.error] ?? 'Something went wrong. Try again.'}</span>
-      </div>
-    {/if}
-    <form method="POST" action="/admin/auth/request" class="mt-6 flex flex-col gap-3">
+    <form onsubmit={request} class="mt-6 flex flex-col gap-3">
       <input
         type="email"
         name="email"
+        bind:value={email}
         required
         autocomplete="email"
         placeholder="you@example.com"
         class="input w-full"
       />
-      <button type="submit" class="btn btn-primary">Email me a sign-in link</button>
+      <button type="submit" class="btn btn-primary" disabled={busy}>
+        {busy ? 'Sending…' : 'Email me a sign-in link'}
+      </button>
     </form>
   {/if}
 </div>

package/dist/components/LoginPage.svelte.d.ts

@@ -1,8 +1,6 @@
 interface Props {
     data: {
         siteName: string;
-        sent: boolean;
-        error: string | null;
     };
 }
 declare const LoginPage: import("svelte").Component<Props, {}, "">;

package/dist/components/LoginPage.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"LoginPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/LoginPage.svelte.ts"],"names":[],"mappings":"AAKE,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;CACjE;AAwCH,QAAA,MAAM,SAAS,2CAAwC,CAAC;AACxD,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;AAC9C,eAAe,SAAS,CAAC"}
+{"version":3,"file":"LoginPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/LoginPage.svelte.ts"],"names":[],"mappings":"AAUE,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CAC5B;AAyDH,QAAA,MAAM,SAAS,2CAAwC,CAAC;AACxD,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;AAC9C,eAAe,SAAS,CAAC"}

package/dist/components/ManageAdmins.svelte

@@ -3,7 +3,7 @@
   // ones. Reuses the same neutral DaisyUI chrome as the rest of the admin (panels, alerts,
   // table, buttons). Data comes from `adminsLoad` merged with `adminLayoutLoad` (siteName);
   // mutations post to the page's named form actions (`?/add`, `?/remove`, `?/setRole`).
-  import type { AdminsData } from '../sveltekit';
+  import type { AdminsData } from '../auth';
 
   interface Props {
     data: AdminsData & { siteName: string };

package/dist/components/ManageAdmins.svelte.d.ts

@@ -1,4 +1,4 @@
-import type { AdminsData } from '../sveltekit';
+import type { AdminsData } from '../auth';
 interface Props {
     data: AdminsData & {
         siteName: string;

package/dist/components/ManageAdmins.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ManageAdmins.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ManageAdmins.svelte.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG7C,UAAU,KAAK;IACb,IAAI,EAAE,UAAU,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CACzC;AAmFH,QAAA,MAAM,YAAY,2CAAwC,CAAC;AAC3D,KAAK,YAAY,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;AACpD,eAAe,YAAY,CAAC"}
+{"version":3,"file":"ManageAdmins.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ManageAdmins.svelte.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGxC,UAAU,KAAK;IACb,IAAI,EAAE,UAAU,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CACzC;AAmFH,QAAA,MAAM,YAAY,2CAAwC,CAAC;AAC3D,KAAK,YAAY,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;AACpD,eAAe,YAAY,CAAC"}

package/dist/components/index.d.ts

@@ -1,6 +1,7 @@
 export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
+export { default as ConfirmPage } from './ConfirmPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
 export { default as ManageAdmins } from './ManageAdmins.svelte';
 //# sourceMappingURL=index.d.ts.map

package/dist/components/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/components/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/components/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/components/index.js

@@ -3,5 +3,6 @@
 export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
+export { default as ConfirmPage } from './ConfirmPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
 export { default as ManageAdmins } from './ManageAdmins.svelte';

package/dist/email.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../src/lib/email.ts"],"names":[],"mappings":"AAQA,4FAA4F;AAC5F,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,OAAO,EAAE;QACZ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpC;AAED,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CASf"}
+{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../src/lib/email.ts"],"names":[],"mappings":"AAQA,4FAA4F;AAC5F,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,OAAO,EAAE;QACZ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpC;AAED,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAgBf"}

package/dist/email.js

@@ -7,11 +7,19 @@
 // Resend can slot in behind the same `sendMagicLink` signature if needed.
 export async function sendMagicLink(sender, to, link, siteName, from) {
     const expiry = "This link expires in 10 minutes and works only once. If you didn't request it, ignore this email.";
-    await sender.send({
-        to,
-        from,
-        subject: `Your ${siteName} sign-in link`,
-        text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
-        html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Sign in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
-    });
+    try {
+        await sender.send({
+            to,
+            from,
+            subject: `Your ${siteName} sign-in link`,
+            text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
+            html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Confirm sign-in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
+        });
+    }
+    catch (err) {
+        // H6: Email Sending is beta + the sole auth channel. Surface + audit; a Resend fallback
+        // can slot in behind this same signature if Sending proves unreliable.
+        console.error(`magic-link email send failed for ${to}:`, err);
+        throw err;
+    }
 }

package/dist/index.d.ts

@@ -1,4 +1,3 @@
-export * from './auth';
 export * from './email';
 export * from './github';
 export * from './carta';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AACA,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAEA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC"}

package/dist/index.js

@@ -1,5 +1,5 @@
-// cairn-cms public API. Consumers import everything from 'cairn-cms'.
-export * from './auth';
+// cairn-cms public API. Consumers import content/email/github/adapter from 'cairn-cms';
+// auth (better-auth factory, guards, manage-editors) lives at the 'cairn-cms/auth' subpath.
 export * from './email';
 export * from './github';
 export * from './carta';

package/dist/sveltekit/index.d.ts

@@ -1,17 +1,8 @@
-import { type Cookies } from '@sveltejs/kit';
-import type { KVNamespace } from '@cloudflare/workers-types';
-import { type Editor } from '../auth';
-import { type EmailSender } from '../email';
+import type { CairnUser } from '../auth/guard';
 import { type RepoFile } from '../github';
 import { type CairnAdapter, type CairnField } from '../adapter';
-/** The `platform.env` bindings the admin routes read. All optional — the handlers guard. */
+/** The `platform.env` bindings the content routes read. All optional — the handlers guard. */
 export interface AdminEnv {
-    AUTH_KV?: KVNamespace;
-    MAGIC_LINK_SECRET?: string;
-    SESSION_SECRET?: string;
-    EMAIL?: EmailSender;
-    /** Overrides `url.origin` for the magic-link base (set in dev, unset in prod). */
-    PUBLIC_ORIGIN?: string;
     GITHUB_APP_ID?: string;
     GITHUB_APP_INSTALLATION_ID?: string;
     GITHUB_APP_PRIVATE_KEY_B64?: string;
@@ -22,7 +13,7 @@ interface PlatformEvent {
     };
 }
 export interface AdminLayoutData {
-    editor: Editor | null;
+    user: CairnUser | null;
     siteName: string;
     pathname: string;
 }
@@ -35,7 +26,7 @@ export interface AdminLayoutData {
  */
 export declare function adminLayoutLoad(event: {
     locals: {
-        editor: Editor | null;
+        user: CairnUser | null;
     };
     url: URL;
 }, adapter: CairnAdapter): AdminLayoutData;
@@ -49,13 +40,6 @@ export interface AdminCollectionList {
 export declare function adminListLoad(event: PlatformEvent, adapter: CairnAdapter): Promise<{
     collections: AdminCollectionList[];
 }>;
-export interface LoginData {
-    sent: boolean;
-    error: string | null;
-}
-export declare function loginLoad(event: {
-    url: URL;
-}): LoginData;
 export interface EditData {
     type: string;
     id: string;
@@ -75,48 +59,11 @@ export declare function editLoad(event: PlatformEvent & {
     };
     url: URL;
 }, adapter: CairnAdapter): Promise<EditData>;
-export declare function authRequest(event: PlatformEvent & {
-    request: Request;
-    url: URL;
-}, adapter: CairnAdapter): Promise<never>;
-export declare function authCallback(event: PlatformEvent & {
-    url: URL;
-    cookies: Cookies;
-}): Promise<never>;
-export declare function logout(event: {
-    cookies: Cookies;
-}): never;
 export declare function saveCommit(event: PlatformEvent & {
     request: Request;
     locals: {
-        editor: Editor | null;
+        user: CairnUser | null;
     };
 }, adapter: CairnAdapter): Promise<never>;
-export interface AdminsData {
-    admins: Editor[];
-    /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
-    self: string;
-    saved: boolean;
-    error: string | null;
-}
-/** List the allowlist for the manage-admins page. Owner-only. */
-export declare function adminsLoad(event: PlatformEvent & {
-    locals: {
-        editor: Editor | null;
-    };
-    url: URL;
-}): Promise<AdminsData>;
-type AdminsActionEvent = PlatformEvent & {
-    request: Request;
-    locals: {
-        editor: Editor | null;
-    };
-};
-/** Add (or update) an allowlist entry. Owner-only. */
-export declare function addAdmin(event: AdminsActionEvent): Promise<never>;
-/** Remove an allowlist entry. Owner-only; owners can't remove themselves (anti-lockout). */
-export declare function removeAdmin(event: AdminsActionEvent): Promise<never>;
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export declare function setAdminRole(event: AdminsActionEvent): Promise<never>;
 export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/sveltekit/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAmB,KAAK,OAAO,EAAE,MAAM,eAAe,CAAC;AAC9D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAE7D,OAAO,EAUL,KAAK,MAAM,EAEZ,MAAM,SAAS,CAAC;AACjB,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAwD,KAAK,QAAQ,EAAE,MAAM,WAAW,CAAC;AAEhG,OAAO,EAAuC,KAAK,YAAY,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAErG,4FAA4F;AAC5F,MAAM,WAAW,QAAQ;IACvB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,0BAA0B,CAAC,EAAE,MAAM,CAAC;CACrC;AAED,UAAU,aAAa;IACrB,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,QAAQ,CAAA;KAAE,CAAC;CAC/B;AA6BD,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE;IAAE,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACtD,OAAO,EAAE,YAAY,GACpB,eAAe,CAEjB;AAID,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,4FAA4F;AAC5F,wBAAsB,aAAa,CACjC,KAAK,EAAE,aAAa,EACpB,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC;IAAE,WAAW,EAAE,mBAAmB,EAAE,CAAA;CAAE,CAAC,CAajD;AAID,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE;IAAE,GAAG,EAAE,GAAG,CAAA;CAAE,GAAG,SAAS,CAKxD;AAID,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAsB,QAAQ,CAC5B,KAAK,EAAE,aAAa,GAAG;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACzE,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,QAAQ,CAAC,CAyBnB;AAID,wBAAsB,WAAW,CAC/B,KAAK,EAAE,aAAa,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACrD,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,KAAK,CAAC,CA8BhB;AAID,wBAAsB,YAAY,CAChC,KAAK,EAAE,aAAa,GAAG;IAAE,GAAG,EAAE,GAAG,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,GACpD,OAAO,CAAC,KAAK,CAAC,CA4BhB;AAID,wBAAgB,MAAM,CAAC,KAAK,EAAE;IAAE,OAAO,EAAE,OAAO,CAAA;CAAE,GAAG,KAAK,CAGzD;AAID,wBAAsB,UAAU,CAC9B,KAAK,EAAE,aAAa,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,EAC9E,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,KAAK,CAAC,CA0ChB;AAsBD,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,+EAA+E;IAC/E,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,iEAAiE;AACjE,wBAAsB,UAAU,CAC9B,KAAK,EAAE,aAAa,GAAG;IAAE,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,GACrE,OAAO,CAAC,UAAU,CAAC,CASrB;AAED,KAAK,iBAAiB,GAAG,aAAa,GAAG;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;CACnC,CAAC;AAMF,sDAAsD;AACtD,wBAAsB,QAAQ,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,CAWvE;AAED,4FAA4F;AAC5F,wBAAsB,WAAW,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,CAU1E;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,CAe3E"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/index.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAwD,KAAK,QAAQ,EAAE,MAAM,WAAW,CAAC;AAEhG,OAAO,EAAuC,KAAK,YAAY,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAErG,8FAA8F;AAC9F,MAAM,WAAW,QAAQ;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,0BAA0B,CAAC,EAAE,MAAM,CAAC;CACrC;AAED,UAAU,aAAa;IACrB,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,QAAQ,CAAA;KAAE,CAAC;CAC/B;AA2BD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,SAAS,GAAG,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACvD,OAAO,EAAE,YAAY,GACpB,eAAe,CAEjB;AAID,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,4FAA4F;AAC5F,wBAAsB,aAAa,CACjC,KAAK,EAAE,aAAa,EACpB,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC;IAAE,WAAW,EAAE,mBAAmB,EAAE,CAAA;CAAE,CAAC,CAajD;AAID,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAsB,QAAQ,CAC5B,KAAK,EAAE,aAAa,GAAG;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,EACzE,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,QAAQ,CAAC,CAyBnB;AAID,wBAAsB,UAAU,CAC9B,KAAK,EAAE,aAAa,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,SAAS,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,EAC/E,OAAO,EAAE,YAAY,GACpB,OAAO,CAAC,KAAK,CAAC,CA0ChB"}