@glw907/cairn-cms 0.3.1 → 0.4.0

package/src/lib/auth/schema.ts

@@ -0,0 +1,112 @@
+import { relations, sql } from "drizzle-orm";
+import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
+
+export const user = sqliteTable("user", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  email: text("email").notNull().unique(),
+  emailVerified: integer("email_verified", { mode: "boolean" })
+    .default(false)
+    .notNull(),
+  image: text("image"),
+  createdAt: integer("created_at", { mode: "timestamp_ms" })
+    .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+    .notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+    .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+    .$onUpdate(() => /* @__PURE__ */ new Date())
+    .notNull(),
+  role: text("role"),
+  banned: integer("banned", { mode: "boolean" }).default(false),
+  banReason: text("ban_reason"),
+  banExpires: integer("ban_expires", { mode: "timestamp_ms" }),
+});
+
+export const session = sqliteTable(
+  "session",
+  {
+    id: text("id").primaryKey(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+      .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    impersonatedBy: text("impersonated_by"),
+  },
+  (table) => [index("session_userId_idx").on(table.userId)],
+);
+
+export const account = sqliteTable(
+  "account",
+  {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: integer("access_token_expires_at", {
+      mode: "timestamp_ms",
+    }),
+    refreshTokenExpiresAt: integer("refresh_token_expires_at", {
+      mode: "timestamp_ms",
+    }),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+      .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("account_userId_idx").on(table.userId)],
+);
+
+export const verification = sqliteTable(
+  "verification",
+  {
+    id: text("id").primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+      .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("verification_identifier_idx").on(table.identifier)],
+);
+
+export const userRelations = relations(user, ({ many }) => ({
+  sessions: many(session),
+  accounts: many(account),
+}));
+
+export const sessionRelations = relations(session, ({ one }) => ({
+  user: one(user, {
+    fields: [session.userId],
+    references: [user.id],
+  }),
+}));
+
+export const accountRelations = relations(account, ({ one }) => ({
+  user: one(user, {
+    fields: [account.userId],
+    references: [user.id],
+  }),
+}));

package/src/lib/components/AdminLayout.svelte

@@ -7,13 +7,13 @@
   // (the login page lives under this layout) it falls back to a minimal centered shell.
   // Each site's `admin/+layout.svelte` is a one-line shim that forwards `data` + `children`.
   import type { Snippet } from 'svelte';
-  import type { Editor } from '../auth';
+  import type { CairnUser } from '../auth';
 
   let {
     data,
     children,
   }: {
-    data: { siteName: string; editor: Editor | null; pathname: string };
+    data: { siteName: string; user: CairnUser | null; pathname: string };
     children: Snippet;
   } = $props();
 
@@ -41,7 +41,7 @@
       active: data.pathname.startsWith('/admin/admins'),
     },
   ]);
-  const visibleNav = $derived(nav.filter((item) => !item.owner || data.editor?.role === 'owner'));
+  const visibleNav = $derived(nav.filter((item) => !item.owner || data.user?.role === 'owner'));
 
   // Close the slide-over after a nav tap on mobile (no-op on desktop where it's pinned open).
   function closeDrawer(): void {
@@ -68,7 +68,7 @@
   <meta name="robots" content="noindex, nofollow" />
 </svelte:head>
 
-{#if data.editor}
+{#if data.user}
   <div class="drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
     <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
 
@@ -111,8 +111,8 @@
         </ul>
 
         <div class="border-t border-base-300 p-4">
-          <p class="text-sm font-medium">{data.editor.name}</p>
-          <p class="text-xs opacity-60">{data.editor.email}</p>
+          <p class="text-sm font-medium">{data.user.name}</p>
+          <p class="text-xs opacity-60">{data.user.email}</p>
           <form method="POST" action="/admin/auth/logout" class="mt-3">
             <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">Sign out</button>
           </form>

package/src/lib/components/ConfirmPage.svelte

@@ -0,0 +1,31 @@
+<script lang="ts">
+  // The scanner-safe confirm surface (C2). A GET renders this static page — nothing is consumed.
+  // The token rides in a hidden field; only the explicit form POST (the route's default action →
+  // confirmSignIn) verifies it. Mail scanners GET URLs but don't submit forms, so prefetch can't
+  // burn the link. JS-free by design.
+  interface Props {
+    data: { token: string; siteName: string; error: string | null };
+  }
+  let { data }: Props = $props();
+</script>
+
+<svelte:head>
+  <title>Confirm sign-in · {data.siteName} CMS</title>
+</svelte:head>
+
+<div class="mx-auto mt-16 max-w-md rounded-box border border-base-300 bg-base-100 p-8">
+  <h1 class="text-2xl font-bold">Confirm sign-in</h1>
+  <p class="mt-1 text-sm opacity-70">to {data.siteName} CMS</p>
+
+  {#if data.error || !data.token}
+    <div class="alert alert-error mt-6">
+      <span>This sign-in link is invalid or expired. Request a new one.</span>
+    </div>
+    <a href="/admin/login" class="btn btn-primary mt-6">Back to sign-in</a>
+  {:else}
+    <form method="POST" class="mt-6 flex flex-col gap-3">
+      <input type="hidden" name="token" value={data.token} />
+      <button type="submit" class="btn btn-primary">Confirm sign-in</button>
+    </form>
+  {/if}
+</div>

package/src/lib/components/LoginPage.svelte

@@ -1,17 +1,33 @@
 <script lang="ts">
-  // The magic-link sign-in page. Posts the email to /admin/auth/request; `sent`/`error` come
-  // from `loginLoad` (querystring) merged with `adminLayoutLoad` (siteName).
+  // The magic-link sign-in page. Requests a link via the better-auth client (client-side, same
+  // origin). To avoid enumeration the UI shows the SAME neutral copy whether or not the email is
+  // on the allowlist — the server only emails actual editors (see auth/config.ts send gate).
+  import { createAuthClient } from 'better-auth/svelte';
+  import { magicLinkClient } from 'better-auth/client/plugins';
+
+  // The browser client lives in the one component that needs it (requesting a link). Sign-out
+  // and editor management go through server endpoints, so no shared client module is needed —
+  // and a component-local const keeps better-auth's deep client types out of the packaged .d.ts.
+  const authClient = createAuthClient({ plugins: [magicLinkClient()] });
+
   interface Props {
-    data: { siteName: string; sent: boolean; error: string | null };
+    data: { siteName: string };
   }
   let { data }: Props = $props();
 
-  const errorMessages: Record<string, string> = {
-    invalid: 'Please enter a valid email address.',
-    denied: 'That email is not on the editor allowlist.',
-    expired: 'That sign-in link has expired or was already used. Request a new one.',
-    config: 'Sign-in is not configured. Contact the site admin.',
-  };
+  let email = $state('');
+  let requested = $state(false);
+  let busy = $state(false);
+
+  async function request(event: SubmitEvent) {
+    event.preventDefault();
+    busy = true;
+    // The magic-link email points at our /admin/auth/confirm page (built in config.ts), not a
+    // GET-verify URL — so the result is the same regardless of allowlist membership.
+    await authClient.signIn.magicLink({ email });
+    busy = false;
+    requested = true;
+  }
 </script>
 
 <svelte:head>
@@ -22,26 +38,27 @@
   <h1 class="text-2xl font-bold">{data.siteName} CMS</h1>
   <p class="mt-1 text-sm opacity-70">Sign in with your editor email.</p>
 
-  {#if data.sent}
+  {#if requested}
     <div class="alert alert-success mt-6">
-      <span>Check your inbox — a sign-in link is on its way. It expires in 10 minutes.</span>
+      <span>
+        If that address is on the editor list, a sign-in link is on its way. It expires in 10
+        minutes.
+      </span>
     </div>
   {:else}
-    {#if data.error}
-      <div class="alert alert-error mt-6">
-        <span>{errorMessages[data.error] ?? 'Something went wrong. Try again.'}</span>
-      </div>
-    {/if}
-    <form method="POST" action="/admin/auth/request" class="mt-6 flex flex-col gap-3">
+    <form onsubmit={request} class="mt-6 flex flex-col gap-3">
       <input
         type="email"
         name="email"
+        bind:value={email}
         required
         autocomplete="email"
         placeholder="you@example.com"
         class="input w-full"
       />
-      <button type="submit" class="btn btn-primary">Email me a sign-in link</button>
+      <button type="submit" class="btn btn-primary" disabled={busy}>
+        {busy ? 'Sending…' : 'Email me a sign-in link'}
+      </button>
     </form>
   {/if}
 </div>

package/src/lib/components/ManageAdmins.svelte

@@ -3,7 +3,7 @@
   // ones. Reuses the same neutral DaisyUI chrome as the rest of the admin (panels, alerts,
   // table, buttons). Data comes from `adminsLoad` merged with `adminLayoutLoad` (siteName);
   // mutations post to the page's named form actions (`?/add`, `?/remove`, `?/setRole`).
-  import type { AdminsData } from '../sveltekit';
+  import type { AdminsData } from '../auth';
 
   interface Props {
     data: AdminsData & { siteName: string };

package/src/lib/components/index.ts

@@ -3,5 +3,6 @@
 export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
+export { default as ConfirmPage } from './ConfirmPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
 export { default as ManageAdmins } from './ManageAdmins.svelte';

package/src/lib/email.ts

@@ -25,11 +25,18 @@ export async function sendMagicLink(
   from: string,
 ): Promise<void> {
   const expiry = "This link expires in 10 minutes and works only once. If you didn't request it, ignore this email.";
-  await sender.send({
-    to,
-    from,
-    subject: `Your ${siteName} sign-in link`,
-    text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
-    html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Sign in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
-  });
+  try {
+    await sender.send({
+      to,
+      from,
+      subject: `Your ${siteName} sign-in link`,
+      text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
+      html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Confirm sign-in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
+    });
+  } catch (err) {
+    // H6: Email Sending is beta + the sole auth channel. Surface + audit; a Resend fallback
+    // can slot in behind this same signature if Sending proves unreliable.
+    console.error(`magic-link email send failed for ${to}:`, err);
+    throw err;
+  }
 }

package/src/lib/index.ts

@@ -1,5 +1,5 @@
-// cairn-cms public API. Consumers import everything from 'cairn-cms'.
-export * from './auth';
+// cairn-cms public API. Consumers import content/email/github/adapter from 'cairn-cms';
+// auth (better-auth factory, guards, manage-editors) lives at the 'cairn-cms/auth' subpath.
 export * from './email';
 export * from './github';
 export * from './carta';

package/src/lib/sveltekit/index.ts

@@ -1,41 +1,22 @@
-// cairn-core: the SvelteKit route server logic, extracted so each site's `admin/**` route
-// files are thin shims (`export const load = (event) => editLoad(event, cairn)`).
+// cairn-core: the SvelteKit content-route server logic, extracted so each site's `admin/**`
+// route files are thin shims (`export const load = (event) => editLoad(event, cairn)`).
 //
 // SvelteKit's filesystem routing requires the route *files* to live in each site's
 // `src/routes/`, but their bodies are identical across sites — only the adapter differs.
 // These functions take the SvelteKit event (typed structurally, to avoid depending on the
 // site-generated `App.*` ambient types) plus the site `CairnAdapter`, and throw
-// `redirect`/`error` from `@sveltejs/kit`. That `@sveltejs/kit` is a peer dependency so the
-// thrown objects share class identity with the host's runtime (else the redirect 500s).
-import { redirect, error, type Cookies } from '@sveltejs/kit';
-import type { KVNamespace } from '@cloudflare/workers-types';
+// `redirect`/`error` from `@sveltejs/kit` (a peer dependency, so the thrown objects share
+// class identity with the host's runtime — else the redirect 500s). Auth/session/manage-editors
+// logic lives under `@glw907/cairn-cms/auth`; this module is content-only (list/edit/save).
+import { redirect, error } from '@sveltejs/kit';
 import matter from 'gray-matter';
-import {
-  createMagicLink,
-  redeemMagicToken,
-  createSession,
-  lookupEditor,
-  listEditors,
-  setEditor,
-  removeEditor,
-  SESSION_COOKIE,
-  SESSION_MAX_AGE,
-  type Editor,
-  type Role,
-} from '../auth';
-import { sendMagicLink, type EmailSender } from '../email';
+import type { CairnUser } from '../auth/guard';
 import { listMarkdown, readRaw, commitFile, installationToken, type RepoFile } from '../github';
 import { serializeMarkdown } from '../content';
 import { findCollection, frontmatterFromForm, type CairnAdapter, type CairnField } from '../adapter';
 
-/** The `platform.env` bindings the admin routes read. All optional — the handlers guard. */
+/** The `platform.env` bindings the content routes read. All optional — the handlers guard. */
 export interface AdminEnv {
-  AUTH_KV?: KVNamespace;
-  MAGIC_LINK_SECRET?: string;
-  SESSION_SECRET?: string;
-  EMAIL?: EmailSender;
-  /** Overrides `url.origin` for the magic-link base (set in dev, unset in prod). */
-  PUBLIC_ORIGIN?: string;
   GITHUB_APP_ID?: string;
   GITHUB_APP_INSTALLATION_ID?: string;
   GITHUB_APP_PRIVATE_KEY_B64?: string;
@@ -45,8 +26,6 @@ interface PlatformEvent {
   platform?: { env?: AdminEnv };
 }
 
-const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
-
 /**
  * Mint a GitHub App installation token for *reads* when the App is configured, else undefined
  * (reads then fall back to anonymous). Authenticated reads get the 5000/hr limit; anonymous
@@ -73,7 +52,7 @@ async function readToken(env: AdminEnv | undefined): Promise<string | undefined>
 // ── /admin layout ──────────────────────────────────────────────────────────
 
 export interface AdminLayoutData {
-  editor: Editor | null;
+  user: CairnUser | null;
   siteName: string;
   pathname: string;
 }
@@ -86,10 +65,10 @@ export interface AdminLayoutData {
  * package); reading `event.url` here also opts the layout load into rerunning on navigation.
  */
 export function adminLayoutLoad(
-  event: { locals: { editor: Editor | null }; url: URL },
+  event: { locals: { user: CairnUser | null }; url: URL },
   adapter: CairnAdapter,
 ): AdminLayoutData {
-  return { editor: event.locals.editor, siteName: adapter.siteName, pathname: event.url.pathname };
+  return { user: event.locals.user, siteName: adapter.siteName, pathname: event.url.pathname };
 }
 
 // ── /admin (content list) ────────────────────────────────────────────────────
@@ -120,20 +99,6 @@ export async function adminListLoad(
   return { collections };
 }
 
-// ── /admin/login ──────────────────────────────────────────────────────────────
-
-export interface LoginData {
-  sent: boolean;
-  error: string | null;
-}
-
-export function loginLoad(event: { url: URL }): LoginData {
-  return {
-    sent: event.url.searchParams.get('sent') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
-
 // ── /admin/edit/[type]/[id] ─────────────────────────────────────────────────
 
 export interface EditData {
@@ -179,92 +144,14 @@ export async function editLoad(
   };
 }
 
-// ── /admin/auth/request (POST) ──────────────────────────────────────────────
-
-export async function authRequest(
-  event: PlatformEvent & { request: Request; url: URL },
-  adapter: CairnAdapter,
-): Promise<never> {
-  const env = event.platform?.env;
-  if (!env?.AUTH_KV || !env.MAGIC_LINK_SECRET || !env.EMAIL) {
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  if (!EMAIL_RE.test(email)) {
-    throw redirect(303, '/admin/login?error=invalid');
-  }
-
-  const editor = await lookupEditor(email, env.AUTH_KV);
-  if (!editor) {
-    throw redirect(303, '/admin/login?error=denied');
-  }
-
-  const token = await createMagicLink(email, env.MAGIC_LINK_SECRET, env.AUTH_KV);
-  // PUBLIC_ORIGIN overrides url.origin for local dev (where wrangler's custom-domain
-  // route makes url.origin the production host); unset in prod → url.origin is correct.
-  const origin = env.PUBLIC_ORIGIN || event.url.origin;
-  const link = `${origin}/admin/auth/callback?token=${encodeURIComponent(token)}`;
-  try {
-    await sendMagicLink(env.EMAIL, email, link, adapter.siteName, adapter.sender);
-  } catch (err) {
-    console.error('magic-link send failed:', err);
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  throw redirect(303, '/admin/login?sent=1');
-}
-
-// ── /admin/auth/callback (GET) ──────────────────────────────────────────────
-
-export async function authCallback(
-  event: PlatformEvent & { url: URL; cookies: Cookies },
-): Promise<never> {
-  const env = event.platform?.env;
-  if (!env?.AUTH_KV || !env.MAGIC_LINK_SECRET || !env.SESSION_SECRET) {
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  const token = event.url.searchParams.get('token') ?? '';
-  const email = await redeemMagicToken(token, env.MAGIC_LINK_SECRET, env.AUTH_KV);
-  if (!email) {
-    throw redirect(303, '/admin/login?error=expired');
-  }
-
-  // Re-check the allowlist at redemption — membership may have changed since issue.
-  const editor = await lookupEditor(email, env.AUTH_KV);
-  if (!editor) {
-    throw redirect(303, '/admin/login?error=denied');
-  }
-
-  const session = await createSession(editor, env.SESSION_SECRET);
-  event.cookies.set(SESSION_COOKIE, session, {
-    path: '/',
-    httpOnly: true,
-    secure: event.url.protocol === 'https:',
-    sameSite: 'lax',
-    maxAge: SESSION_MAX_AGE,
-  });
-
-  throw redirect(303, '/admin');
-}
-
-// ── /admin/auth/logout (POST) ───────────────────────────────────────────────
-
-export function logout(event: { cookies: Cookies }): never {
-  event.cookies.delete(SESSION_COOKIE, { path: '/' });
-  throw redirect(303, '/admin/login');
-}
-
 // ── /admin/save (POST) ──────────────────────────────────────────────────────
 
 export async function saveCommit(
-  event: PlatformEvent & { request: Request; locals: { editor: Editor | null } },
+  event: PlatformEvent & { request: Request; locals: { user: CairnUser | null } },
   adapter: CairnAdapter,
 ): Promise<never> {
-  const editor = event.locals.editor;
-  if (!editor) throw error(401, 'Not signed in');
+  const user = event.locals.user;
+  if (!user) throw error(401, 'Not signed in');
 
   const env = event.platform?.env;
   if (!env?.GITHUB_APP_ID || !env.GITHUB_APP_INSTALLATION_ID || !env.GITHUB_APP_PRIVATE_KEY_B64) {
@@ -299,105 +186,9 @@ export async function saveCommit(
     adapter.backend,
     `${collection.dir}/${id}.md`,
     markdown,
-    { message: `Update ${collection.label.toLowerCase()}: ${id}`, author: { name: editor.name, email: editor.email } },
+    { message: `Update ${collection.label.toLowerCase()}: ${id}`, author: { name: user.name, email: user.email } },
     token,
   );
 
   throw redirect(303, `/admin/edit/${type}/${id}?saved=1`);
 }
-
-// ── /admin/admins (owner-gated editor management) ────────────────────────────
-
-/**
- * The privilege-escalation gate for the manage-admins surface: only `owner`s may load it or
- * run its actions. Returns the acting owner (so callers can guard self-targeted mutations).
- */
-function requireOwner(event: { locals: { editor: Editor | null } }): Editor {
-  const editor = event.locals.editor;
-  if (!editor) throw error(401, 'Not signed in');
-  if (editor.role !== 'owner') throw error(403, 'Owner access required');
-  return editor;
-}
-
-/** Resolve AUTH_KV or fail loudly — the management surface is useless without it. */
-function ownerKv(event: PlatformEvent): KVNamespace {
-  const kv = event.platform?.env?.AUTH_KV;
-  if (!kv) throw error(500, 'Editor allowlist is not configured');
-  return kv;
-}
-
-export interface AdminsData {
-  admins: Editor[];
-  /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
-  self: string;
-  saved: boolean;
-  error: string | null;
-}
-
-/** List the allowlist for the manage-admins page. Owner-only. */
-export async function adminsLoad(
-  event: PlatformEvent & { locals: { editor: Editor | null }; url: URL },
-): Promise<AdminsData> {
-  const owner = requireOwner(event);
-  const admins = await listEditors(ownerKv(event));
-  return {
-    admins,
-    self: owner.email,
-    saved: event.url.searchParams.get('saved') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
-
-type AdminsActionEvent = PlatformEvent & {
-  request: Request;
-  locals: { editor: Editor | null };
-};
-
-function parseRole(value: unknown): Role {
-  return value === 'owner' ? 'owner' : 'editor';
-}
-
-/** Add (or update) an allowlist entry. Owner-only. */
-export async function addAdmin(event: AdminsActionEvent): Promise<never> {
-  requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const name = String(form.get('name') ?? '').trim();
-  if (!EMAIL_RE.test(email) || !name) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
-  }
-  await setEditor(email, name, parseRole(form.get('role')), kv);
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Remove an allowlist entry. Owner-only; owners can't remove themselves (anti-lockout). */
-export async function removeAdmin(event: AdminsActionEvent): Promise<never> {
-  const owner = requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  if (email === owner.email) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
-  }
-  await removeEditor(email, kv);
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export async function setAdminRole(event: AdminsActionEvent): Promise<never> {
-  const owner = requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const role = parseRole(form.get('role'));
-  if (email === owner.email && role !== 'owner') {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
-  }
-  const existing = await lookupEditor(email, kv);
-  if (!existing) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-  }
-  await setEditor(email, existing.name, role, kv);
-  throw redirect(303, '/admin/admins?saved=1');
-}

package/dist/auth.d.ts

@@ -1,25 +0,0 @@
-import type { KVNamespace } from '@cloudflare/workers-types';
-/** Two-tier, per-site role. `owner`s manage the editor allowlist; `editor`s only edit content. */
-export type Role = 'owner' | 'editor';
-export interface Editor {
-    email: string;
-    name: string;
-    role: Role;
-}
-export declare const SESSION_COOKIE = "cairn_session";
-export declare const SESSION_MAX_AGE: number;
-/** Issue a single-use magic-link token and register its nonce in KV with a TTL. */
-export declare function createMagicLink(email: string, secret: string, kv: KVNamespace): Promise<string>;
-/** Redeem a magic-link token: verify, check expiry, then consume the KV nonce (single use). */
-export declare function redeemMagicToken(token: string, secret: string, kv: KVNamespace): Promise<string | null>;
-export declare function createSession(editor: Editor, secret: string): Promise<string>;
-export declare function verifySession(token: string, secret: string): Promise<Editor | null>;
-/** Look up an editor in the KV allowlist (`editor:<email>` → `{name, role}`). */
-export declare function lookupEditor(email: string, kv: KVNamespace): Promise<Editor | null>;
-/** Every allowlisted editor, sorted by email — the manage-admins list. */
-export declare function listEditors(kv: KVNamespace): Promise<Editor[]>;
-/** Add or update an allowlist entry (JSON value). Email is normalized. */
-export declare function setEditor(email: string, name: string, role: Role, kv: KVNamespace): Promise<void>;
-/** Remove an allowlist entry. */
-export declare function removeEditor(email: string, kv: KVNamespace): Promise<void>;
-//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAG7D,kGAAkG;AAClG,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEtC,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,eAAO,MAAM,cAAc,kBAAkB,CAAC;AAK9C,eAAO,MAAM,eAAe,QAAsB,CAAC;AA8DnD,mFAAmF;AACnF,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED,+FAA+F;AAC/F,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAOxB;AAMD,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnF;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF;AAyBD,iFAAiF;AACjF,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF;AAED,0EAA0E;AAC1E,wBAAsB,WAAW,CAAC,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CASpE;AAED,0EAA0E;AAC1E,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,IAAI,EACV,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,IAAI,CAAC,CAEf;AAED,iCAAiC;AACjC,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAEhF"}