@glw907/cairn-cms 0.3.1 → 0.5.0

package/dist/auth/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/lib/auth/schema.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAmBf,CAAC;AAEH,eAAO,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoBnB,CAAC;AAEF,eAAO,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA4BnB,CAAC;AAEF,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgBxB,CAAC;AAEF,eAAO,MAAM,aAAa;;;EAGvB,CAAC;AAEJ,eAAO,MAAM,gBAAgB;;EAK1B,CAAC;AAEJ,eAAO,MAAM,gBAAgB;;EAK1B,CAAC"}

package/dist/auth/schema.js

@@ -0,0 +1,93 @@
+import { relations, sql } from "drizzle-orm";
+import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
+export const user = sqliteTable("user", {
+    id: text("id").primaryKey(),
+    name: text("name").notNull(),
+    email: text("email").notNull().unique(),
+    emailVerified: integer("email_verified", { mode: "boolean" })
+        .default(false)
+        .notNull(),
+    image: text("image"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .$onUpdate(() => /* @__PURE__ */ new Date())
+        .notNull(),
+    role: text("role"),
+    banned: integer("banned", { mode: "boolean" }).default(false),
+    banReason: text("ban_reason"),
+    banExpires: integer("ban_expires", { mode: "timestamp_ms" }),
+});
+export const session = sqliteTable("session", {
+    id: text("id").primaryKey(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+        .$onUpdate(() => /* @__PURE__ */ new Date())
+        .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+        .notNull()
+        .references(() => user.id, { onDelete: "cascade" }),
+    impersonatedBy: text("impersonated_by"),
+}, (table) => [index("session_userId_idx").on(table.userId)]);
+export const account = sqliteTable("account", {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+        .notNull()
+        .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: integer("access_token_expires_at", {
+        mode: "timestamp_ms",
+    }),
+    refreshTokenExpiresAt: integer("refresh_token_expires_at", {
+        mode: "timestamp_ms",
+    }),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+        .$onUpdate(() => /* @__PURE__ */ new Date())
+        .notNull(),
+}, (table) => [index("account_userId_idx").on(table.userId)]);
+export const verification = sqliteTable("verification", {
+    id: text("id").primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
+    createdAt: integer("created_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .notNull(),
+    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
+        .default(sql `(cast(unixepoch('subsecond') * 1000 as integer))`)
+        .$onUpdate(() => /* @__PURE__ */ new Date())
+        .notNull(),
+}, (table) => [index("verification_identifier_idx").on(table.identifier)]);
+export const userRelations = relations(user, ({ many }) => ({
+    sessions: many(session),
+    accounts: many(account),
+}));
+export const sessionRelations = relations(session, ({ one }) => ({
+    user: one(user, {
+        fields: [session.userId],
+        references: [user.id],
+    }),
+}));
+export const accountRelations = relations(account, ({ one }) => ({
+    user: one(user, {
+        fields: [account.userId],
+        references: [user.id],
+    }),
+}));

package/dist/carta.d.ts

@@ -18,7 +18,7 @@ interface PreviewTransformer {
  * so this ordering reproduces render.ts exactly. Pure (no Carta) so it is unit-testable.
  */
 export declare function previewTransformers({ remarkPlugins, rehypePlugins }: PreviewPlugins): PreviewTransformer[];
-/** Minimal Options subset we populate — avoids importing carta-md (Svelte re-exports). */
+/** Minimal Options subset we populate (avoids importing carta-md, which re-exports Svelte components). */
 interface PreviewCartaOptions {
     sanitizer: false;
     rehypeOptions: {

package/dist/carta.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"carta.d.ts","sourceRoot":"","sources":["../src/lib/carta.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEpD,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,aAAa,EAAE,SAAS,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,SAAS,EAAE,CAAC;CAC5B;AAED,UAAU,kBAAkB;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC1B,SAAS,EAAE,CAAC,GAAG,EAAE;QAAE,SAAS,EAAE,SAAS,CAAA;KAAE,KAAK,IAAI,CAAC;CACpD;AAYD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,EAAE,cAAc,GAAG,kBAAkB,EAAE,CAE1G;AAED,0FAA0F;AAC1F,UAAU,mBAAmB;IAC3B,SAAS,EAAE,KAAK,CAAC;IACjB,aAAa,EAAE;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/C,UAAU,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;KAAE,CAAC,CAAC;CAC3D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,mBAAmB,CAMhF"}
+{"version":3,"file":"carta.d.ts","sourceRoot":"","sources":["../src/lib/carta.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEpD,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,aAAa,EAAE,SAAS,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,SAAS,EAAE,CAAC;CAC5B;AAED,UAAU,kBAAkB;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC1B,SAAS,EAAE,CAAC,GAAG,EAAE;QAAE,SAAS,EAAE,SAAS,CAAA;KAAE,KAAK,IAAI,CAAC;CACpD;AAYD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,EAAE,cAAc,GAAG,kBAAkB,EAAE,CAE1G;AAED,0GAA0G;AAC1G,UAAU,mBAAmB;IAC3B,SAAS,EAAE,KAAK,CAAC;IACjB,aAAa,EAAE;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/C,UAAU,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;KAAE,CAAC,CAAC;CAC3D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,mBAAmB,CAMhF"}

package/dist/components/AdminLayout.svelte

@@ -1,19 +1,19 @@
 <script lang="ts">
   // Neutral admin chrome, shared across sites so the tool looks identical everywhere (only the
   // adapter's siteName varies). When signed in it's a responsive DaisyUI drawer+navbar shell
-  // (`drawer lg:drawer-open` — sidebar pinned on desktop, slide-over + hamburger on mobile),
+  // (`drawer lg:drawer-open`, sidebar pinned on desktop, slide-over + hamburger on mobile),
   // patterned on scosman/CMSaasStarter's `(admin)/(menu)` layout. The nav is data-driven and
   // role-gated, so a new surface is one entry in `nav` (plus its route + component). Signed out
   // (the login page lives under this layout) it falls back to a minimal centered shell.
   // Each site's `admin/+layout.svelte` is a one-line shim that forwards `data` + `children`.
   import type { Snippet } from 'svelte';
-  import type { Editor } from '../auth';
+  import type { CairnUser } from '../auth';
 
   let {
     data,
     children,
   }: {
-    data: { siteName: string; editor: Editor | null; pathname: string };
+    data: { siteName: string; user: CairnUser | null; pathname: string };
     children: Snippet;
   } = $props();
 
@@ -22,7 +22,7 @@
     label: string;
     icon: Snippet;
     active: boolean;
-    /** Owner-only surface — hidden from regular editors. */
+    /** Owner-only surface; hidden from regular editors. */
     owner?: boolean;
   }
 
@@ -41,7 +41,7 @@
       active: data.pathname.startsWith('/admin/admins'),
     },
   ]);
-  const visibleNav = $derived(nav.filter((item) => !item.owner || data.editor?.role === 'owner'));
+  const visibleNav = $derived(nav.filter((item) => !item.owner || data.user?.role === 'owner'));
 
   // Close the slide-over after a nav tap on mobile (no-op on desktop where it's pinned open).
   function closeDrawer(): void {
@@ -68,12 +68,12 @@
   <meta name="robots" content="noindex, nofollow" />
 </svelte:head>
 
-{#if data.editor}
+{#if data.user}
   <div class="drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
     <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
 
     <div class="drawer-content">
-      <!-- Mobile top bar — the desktop sidebar replaces this at lg. -->
+      <!-- Mobile top bar; the desktop sidebar replaces this at lg. -->
       <div class="navbar bg-base-100 lg:hidden">
         <div class="flex-1">
           <span class="px-2 text-xl font-bold">{data.siteName} CMS</span>
@@ -111,8 +111,8 @@
         </ul>
 
         <div class="border-t border-base-300 p-4">
-          <p class="text-sm font-medium">{data.editor.name}</p>
-          <p class="text-xs opacity-60">{data.editor.email}</p>
+          <p class="text-sm font-medium">{data.user.name}</p>
+          <p class="text-xs opacity-60">{data.user.email}</p>
           <form method="POST" action="/admin/auth/logout" class="mt-3">
             <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">Sign out</button>
           </form>

package/dist/components/AdminLayout.svelte.d.ts

@@ -1,9 +1,9 @@
 import type { Snippet } from 'svelte';
-import type { Editor } from '../auth';
+import type { CairnUser } from '../auth';
 type $$ComponentProps = {
     data: {
         siteName: string;
-        editor: Editor | null;
+        user: CairnUser | null;
         pathname: string;
     };
     children: Snippet;

package/dist/components/AdminLayout.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAWrC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACpE,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAyHJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}
+{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAWxC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACrE,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAyHJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/AdminList.svelte

@@ -1,7 +1,7 @@
 <script lang="ts">
   // The /admin content list: every collection's files, linking into the editor. Data comes
   // from `adminListLoad` (collections) merged with `adminLayoutLoad` (siteName). The shell
-  // (AdminLayout) owns the chrome — site title, signed-in identity, nav, sign out — so this
+  // (AdminLayout) owns the chrome (site title, signed-in identity, nav, sign out), so this
   // page renders only the content body.
   import type { AdminCollectionList } from '../sveltekit';
 

package/dist/components/ConfirmPage.svelte

@@ -0,0 +1,31 @@
+<script lang="ts">
+  // The scanner-safe confirm surface (C2). A GET renders this static page and consumes nothing.
+  // The token rides in a hidden field; only the explicit form POST (the route's default action,
+  // confirmSignIn) verifies it. Mail scanners GET URLs but don't submit forms, so prefetch can't
+  // burn the link. JS-free by design.
+  interface Props {
+    data: { token: string; siteName: string; error: string | null };
+  }
+  let { data }: Props = $props();
+</script>
+
+<svelte:head>
+  <title>Confirm sign-in · {data.siteName} CMS</title>
+</svelte:head>
+
+<div class="mx-auto mt-16 max-w-md rounded-box border border-base-300 bg-base-100 p-8">
+  <h1 class="text-2xl font-bold">Confirm sign-in</h1>
+  <p class="mt-1 text-sm opacity-70">to {data.siteName} CMS</p>
+
+  {#if data.error || !data.token}
+    <div class="alert alert-error mt-6">
+      <span>This sign-in link is invalid or expired. Request a new one.</span>
+    </div>
+    <a href="/admin/login" class="btn btn-primary mt-6">Back to sign-in</a>
+  {:else}
+    <form method="POST" class="mt-6 flex flex-col gap-3">
+      <input type="hidden" name="token" value={data.token} />
+      <button type="submit" class="btn btn-primary">Confirm sign-in</button>
+    </form>
+  {/if}
+</div>

package/dist/components/ConfirmPage.svelte.d.ts

@@ -0,0 +1,11 @@
+interface Props {
+    data: {
+        token: string;
+        siteName: string;
+        error: string | null;
+    };
+}
+declare const ConfirmPage: import("svelte").Component<Props, {}, "">;
+type ConfirmPage = ReturnType<typeof ConfirmPage>;
+export default ConfirmPage;
+//# sourceMappingURL=ConfirmPage.svelte.d.ts.map

package/dist/components/ConfirmPage.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConfirmPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ConfirmPage.svelte.ts"],"names":[],"mappings":"AAOE,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;CACjE;AA6BH,QAAA,MAAM,WAAW,2CAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/EditPage.svelte

@@ -13,21 +13,21 @@
 
   // Body is editable state; the Carta editor's preview runs the exact site plugin set, so it
   // matches the live page. A hidden input carries the current value into the form.
-  // svelte-ignore state_referenced_locally — seeding from the initial load is intended.
+  // svelte-ignore state_referenced_locally (seeding from the initial load is intended)
   let body = $state(data.body);
 
-  // svelte-ignore state_referenced_locally — the preview plugin set is fixed for the load.
+  // svelte-ignore state_referenced_locally (the preview plugin set is fixed for the load)
   const carta = new Carta(previewCartaOptions(preview));
 
   // Carta's MarkdownEditor must not render on the worker (it pulls Shiki). onMount fires only
-  // in the browser, so SSR renders the plain textarea and the client swaps in the editor —
-  // the kit-free equivalent of the per-site route's `$app/environment` `browser` guard.
+  // in the browser, so SSR renders the plain textarea and the client swaps in the editor.
+  // This is the kit-free equivalent of the per-site route's `$app/environment` `browser` guard.
   let mounted = $state(false);
   onMount(() => {
     mounted = true;
   });
 
-  // svelte-ignore state_referenced_locally — form defaults from the initial load.
+  // svelte-ignore state_referenced_locally (form defaults from the initial load)
   const fm = data.frontmatter as Record<string, unknown>;
 
   function fmString(key: string): string {

package/dist/components/LoginPage.svelte

@@ -1,17 +1,33 @@
 <script lang="ts">
-  // The magic-link sign-in page. Posts the email to /admin/auth/request; `sent`/`error` come
-  // from `loginLoad` (querystring) merged with `adminLayoutLoad` (siteName).
+  // The magic-link sign-in page. Requests a link via the better-auth client (client-side, same
+  // origin). To avoid enumeration the UI shows the same neutral copy whether or not the email is
+  // on the allowlist. The server only emails actual editors (see auth/config.ts send gate).
+  import { createAuthClient } from 'better-auth/svelte';
+  import { magicLinkClient } from 'better-auth/client/plugins';
+
+  // The browser client lives in the one component that needs it (requesting a link). Sign-out
+  // and editor management go through server endpoints, so no shared client module is needed.
+  // A component-local const keeps better-auth's deep client types out of the packaged .d.ts.
+  const authClient = createAuthClient({ plugins: [magicLinkClient()] });
+
   interface Props {
-    data: { siteName: string; sent: boolean; error: string | null };
+    data: { siteName: string };
   }
   let { data }: Props = $props();
 
-  const errorMessages: Record<string, string> = {
-    invalid: 'Please enter a valid email address.',
-    denied: 'That email is not on the editor allowlist.',
-    expired: 'That sign-in link has expired or was already used. Request a new one.',
-    config: 'Sign-in is not configured. Contact the site admin.',
-  };
+  let email = $state('');
+  let requested = $state(false);
+  let busy = $state(false);
+
+  async function request(event: SubmitEvent) {
+    event.preventDefault();
+    busy = true;
+    // The magic-link email points at our /admin/auth/confirm page (built in config.ts), not a
+    // GET-verify URL, so the result is the same regardless of allowlist membership.
+    await authClient.signIn.magicLink({ email });
+    busy = false;
+    requested = true;
+  }
 </script>
 
 <svelte:head>
@@ -22,26 +38,27 @@
   <h1 class="text-2xl font-bold">{data.siteName} CMS</h1>
   <p class="mt-1 text-sm opacity-70">Sign in with your editor email.</p>
 
-  {#if data.sent}
+  {#if requested}
     <div class="alert alert-success mt-6">
-      <span>Check your inbox — a sign-in link is on its way. It expires in 10 minutes.</span>
+      <span>
+        If that address is on the editor list, a sign-in link is on its way. It expires in 10
+        minutes.
+      </span>
     </div>
   {:else}
-    {#if data.error}
-      <div class="alert alert-error mt-6">
-        <span>{errorMessages[data.error] ?? 'Something went wrong. Try again.'}</span>
-      </div>
-    {/if}
-    <form method="POST" action="/admin/auth/request" class="mt-6 flex flex-col gap-3">
+    <form onsubmit={request} class="mt-6 flex flex-col gap-3">
       <input
         type="email"
         name="email"
+        bind:value={email}
         required
         autocomplete="email"
         placeholder="you@example.com"
         class="input w-full"
       />
-      <button type="submit" class="btn btn-primary">Email me a sign-in link</button>
+      <button type="submit" class="btn btn-primary" disabled={busy}>
+        {busy ? 'Sending…' : 'Email me a sign-in link'}
+      </button>
     </form>
   {/if}
 </div>

package/dist/components/LoginPage.svelte.d.ts

@@ -1,8 +1,6 @@
 interface Props {
     data: {
         siteName: string;
-        sent: boolean;
-        error: string | null;
     };
 }
 declare const LoginPage: import("svelte").Component<Props, {}, "">;

package/dist/components/LoginPage.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"LoginPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/LoginPage.svelte.ts"],"names":[],"mappings":"AAKE,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;CACjE;AAwCH,QAAA,MAAM,SAAS,2CAAwC,CAAC;AACxD,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;AAC9C,eAAe,SAAS,CAAC"}
+{"version":3,"file":"LoginPage.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/LoginPage.svelte.ts"],"names":[],"mappings":"AAUE,UAAU,KAAK;IACb,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CAC5B;AAyDH,QAAA,MAAM,SAAS,2CAAwC,CAAC;AACxD,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;AAC9C,eAAe,SAAS,CAAC"}

package/dist/components/ManageAdmins.svelte

@@ -3,7 +3,7 @@
   // ones. Reuses the same neutral DaisyUI chrome as the rest of the admin (panels, alerts,
   // table, buttons). Data comes from `adminsLoad` merged with `adminLayoutLoad` (siteName);
   // mutations post to the page's named form actions (`?/add`, `?/remove`, `?/setRole`).
-  import type { AdminsData } from '../sveltekit';
+  import type { AdminsData } from '../auth';
 
   interface Props {
     data: AdminsData & { siteName: string };

package/dist/components/ManageAdmins.svelte.d.ts

@@ -1,4 +1,4 @@
-import type { AdminsData } from '../sveltekit';
+import type { AdminsData } from '../auth';
 interface Props {
     data: AdminsData & {
         siteName: string;

package/dist/components/ManageAdmins.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ManageAdmins.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ManageAdmins.svelte.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG7C,UAAU,KAAK;IACb,IAAI,EAAE,UAAU,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CACzC;AAmFH,QAAA,MAAM,YAAY,2CAAwC,CAAC;AAC3D,KAAK,YAAY,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;AACpD,eAAe,YAAY,CAAC"}
+{"version":3,"file":"ManageAdmins.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ManageAdmins.svelte.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGxC,UAAU,KAAK;IACb,IAAI,EAAE,UAAU,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;CACzC;AAmFH,QAAA,MAAM,YAAY,2CAAwC,CAAC;AAC3D,KAAK,YAAY,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;AACpD,eAAe,YAAY,CAAC"}

package/dist/components/index.d.ts

@@ -1,6 +1,7 @@
 export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
+export { default as ConfirmPage } from './ConfirmPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
 export { default as ManageAdmins } from './ManageAdmins.svelte';
 //# sourceMappingURL=index.d.ts.map

package/dist/components/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/components/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/components/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/components/index.js

@@ -3,5 +3,6 @@
 export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as AdminList } from './AdminList.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
+export { default as ConfirmPage } from './ConfirmPage.svelte';
 export { default as EditPage } from './EditPage.svelte';
 export { default as ManageAdmins } from './ManageAdmins.svelte';

package/dist/email.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../src/lib/email.ts"],"names":[],"mappings":"AAQA,4FAA4F;AAC5F,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,OAAO,EAAE;QACZ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpC;AAED,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CASf"}
+{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../src/lib/email.ts"],"names":[],"mappings":"AAQA,4FAA4F;AAC5F,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,OAAO,EAAE;QACZ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpC;AAED,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAgBf"}

package/dist/email.js

@@ -1,17 +1,25 @@
 // cairn-core: pluggable magic-link email sender.
 //
-// Default adapter is Cloudflare Email Service → Email Sending (transactional, arbitrary
-// recipients) — distinct from Email Routing's recipient-restricted `EmailMessage` flow.
-// It is reached through the same `send_email` binding (configured without a
-// destination_address) but a different call shape: `binding.send({ to, from, ... })`.
+// The default adapter targets Cloudflare Email Service (Email Sending, transactional,
+// arbitrary recipients), distinct from Email Routing's recipient-restricted `EmailMessage`
+// flow. Both share the same `send_email` binding (configured without a destination_address)
+// but use a different call shape: `binding.send({ to, from, ... })`.
 // Resend can slot in behind the same `sendMagicLink` signature if needed.
 export async function sendMagicLink(sender, to, link, siteName, from) {
     const expiry = "This link expires in 10 minutes and works only once. If you didn't request it, ignore this email.";
-    await sender.send({
-        to,
-        from,
-        subject: `Your ${siteName} sign-in link`,
-        text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
-        html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Sign in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
-    });
+    try {
+        await sender.send({
+            to,
+            from,
+            subject: `Your ${siteName} sign-in link`,
+            text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
+            html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Confirm sign-in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
+        });
+    }
+    catch (err) {
+        // H6: Email Sending is beta + the sole auth channel. Surface + audit; a Resend fallback
+        // can slot in behind this same signature if Sending proves unreliable.
+        console.error(`magic-link email send failed for ${to}:`, err);
+        throw err;
+    }
 }

package/dist/github.d.ts

@@ -27,7 +27,7 @@ export declare function appJwt(appId: string, privateKeyPem: string): Promise<st
 export interface AppCredentials {
     appId: string;
     installationId: string;
-    /** The stored GITHUB_APP_PRIVATE_KEY_B64 — base64 of the PEM, single line. */
+    /** The stored GITHUB_APP_PRIVATE_KEY_B64: base64 of the PEM, single line. */
     privateKeyB64: string;
 }
 /** Exchange the App JWT for a short-lived installation access token. */
@@ -38,15 +38,35 @@ export interface CommitAuthor {
     name: string;
     email: string;
 }
+/**
+ * A concurrent edit lost the SHA race (C3): the file changed between the read and the PUT,
+ * from another editor or the site's own CI. Thrown so callers can fail safe (re-fetch and ask
+ * the editor to reapply) instead of surfacing a raw 409. Defined and caught inside the package
+ * so `instanceof` is reliable (no peer-boundary identity split, unlike kit's `redirect`/`error`).
+ */
+export declare class CommitConflictError extends Error {
+    readonly path: string;
+    constructor(path: string);
+}
 /**
  * Commit `content` to `path` on the configured branch via the contents API. Author is the
  * editor; committer is omitted so GitHub attributes it to the App (cairn-cms[bot]). Updates
  * the file in place when it exists (passing its sha), creates it otherwise. Returns the
- * commit sha.
+ * commit sha. A stale-sha 409 (someone committed in between) becomes a `CommitConflictError`.
  */
 export declare function commitFile(repo: RepoRef, path: string, content: string, opts: {
     message: string;
     author: CommitAuthor;
 }, token: string): Promise<string>;
+/**
+ * Deploy-time self-test for the GitHub App signer (M2): sign a dummy JWT with the configured
+ * private key. Exercises the brittle PKCS#1→PKCS#8 conversion + Web Crypto import/sign without
+ * any network call or secret in the result, so `/admin/healthz` catches a bad/rotated key
+ * before an editor's save fails. Returns `{ ok: false, detail }` rather than throwing.
+ */
+export declare function signingSelfTest(appId: string, privateKeyB64: string): Promise<{
+    ok: boolean;
+    detail?: string;
+}>;
 export {};
 //# sourceMappingURL=github.d.ts.map

package/dist/github.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../src/lib/github.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,4FAA4F;AAC5F,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAcD,mFAAmF;AACnF,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,uFAAuF;AACvF,wBAAgB,aAAa,CAAC,OAAO,EAAE,aAAa,EAAE,GAAG,QAAQ,EAAE,CAKlE;AAED,yDAAyD;AACzD,wBAAsB,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAIlG;AAED,iEAAiE;AACjE,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKjG;AAqCD,wFAAwF;AACxF,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAclF;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,8EAA8E;IAC9E,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,wEAAwE;AACxE,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ9E;AAOD,+EAA+E;AAC/E,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKhG;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,OAAO,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,EAC/C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAgBjB"}
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../src/lib/github.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,4FAA4F;AAC5F,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAcD,mFAAmF;AACnF,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,uFAAuF;AACvF,wBAAgB,aAAa,CAAC,OAAO,EAAE,aAAa,EAAE,GAAG,QAAQ,EAAE,CAKlE;AAED,yDAAyD;AACzD,wBAAsB,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAIlG;AAED,iEAAiE;AACjE,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKjG;AAqCD,wFAAwF;AACxF,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAclF;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,wEAAwE;AACxE,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ9E;AAOD,+EAA+E;AAC/E,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKhG;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;aAChB,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM;CAIzC;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,OAAO,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,EAC/C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAmBjB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAQrH"}

package/dist/github.js

@@ -2,8 +2,8 @@
 //
 // Reads (Pass B) list a collection directory and fetch a file's raw markdown; the token
 // is optional because ecnordic's repo is public. Writes (Pass C) mint a short-lived
-// GitHub App installation token — App JWT (RS256) signed with Web Crypto, no octokit
-// dependency — and commit through the contents API with author = editor, committer = the
+// GitHub App installation token (App JWT, RS256 signed with Web Crypto, no octokit
+// dependency) and commit through the contents API with author = editor, committer = the
 // App (cairn-cms[bot]). The same token also lifts reads to the authenticated rate limit
 // and unlocks private repos (e.g. 907-life).
 import { bytesToB64url } from './utils';
@@ -64,7 +64,7 @@ function derLength(n) {
 }
 // AlgorithmIdentifier for rsaEncryption (OID 1.2.840.113549.1.1.1) with NULL parameters.
 const RSA_ALG_ID = [0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00];
-/** Wrap a PKCS#1 RSAPrivateKey (DER) as PKCS#8 — the only RSA form Web Crypto importKey takes. */
+/** Wrap a PKCS#1 RSAPrivateKey (DER) as PKCS#8 (the only RSA form Web Crypto importKey takes). */
 function pkcs1ToPkcs8(pkcs1) {
     const octet = [0x04, ...derLength(pkcs1.length), ...pkcs1];
     const body = [0x02, 0x01, 0x00, ...RSA_ALG_ID, ...octet];
@@ -97,7 +97,7 @@ export async function installationToken(creds) {
         throw new Error(`GitHub installation token failed: ${res.status}`);
     return (await res.json()).token;
 }
-/** Standard (padded) base64 of UTF-8 text — the encoding the contents API expects. */
+/** Standard (padded) base64 of UTF-8 text, as the contents API expects. */
 function toBase64(text) {
     return btoa(Array.from(encoder.encode(text), (b) => String.fromCharCode(b)).join(''));
 }
@@ -110,11 +110,25 @@ export async function fileSha(repo, path, token) {
         throw new Error(`GitHub stat ${path} failed: ${res.status}`);
     return (await res.json()).sha;
 }
+/**
+ * A concurrent edit lost the SHA race (C3): the file changed between the read and the PUT,
+ * from another editor or the site's own CI. Thrown so callers can fail safe (re-fetch and ask
+ * the editor to reapply) instead of surfacing a raw 409. Defined and caught inside the package
+ * so `instanceof` is reliable (no peer-boundary identity split, unlike kit's `redirect`/`error`).
+ */
+export class CommitConflictError extends Error {
+    path;
+    constructor(path) {
+        super(`Commit conflict on ${path}: it changed since it was opened`);
+        this.path = path;
+        this.name = 'CommitConflictError';
+    }
+}
 /**
  * Commit `content` to `path` on the configured branch via the contents API. Author is the
  * editor; committer is omitted so GitHub attributes it to the App (cairn-cms[bot]). Updates
  * the file in place when it exists (passing its sha), creates it otherwise. Returns the
- * commit sha.
+ * commit sha. A stale-sha 409 (someone committed in between) becomes a `CommitConflictError`.
  */
 export async function commitFile(repo, path, content, opts, token) {
     const sha = await fileSha(repo, path, token);
@@ -130,7 +144,28 @@ export async function commitFile(repo, path, content, opts, token) {
             ...(sha ? { sha } : {}),
         }),
     });
+    // 409 = the blob sha we read is no longer current. Fail safe: the caller re-fetches and the
+    // editor reapplies. (Full three-way merge stays out of scope; see ARCHITECTURE §5.)
+    if (res.status === 409)
+        throw new CommitConflictError(path);
     if (!res.ok)
         throw new Error(`GitHub commit ${path} failed: ${res.status} ${await res.text()}`);
     return (await res.json()).commit.sha;
 }
+/**
+ * Deploy-time self-test for the GitHub App signer (M2): sign a dummy JWT with the configured
+ * private key. Exercises the brittle PKCS#1→PKCS#8 conversion + Web Crypto import/sign without
+ * any network call or secret in the result, so `/admin/healthz` catches a bad/rotated key
+ * before an editor's save fails. Returns `{ ok: false, detail }` rather than throwing.
+ */
+export async function signingSelfTest(appId, privateKeyB64) {
+    try {
+        const jwt = await appJwt(appId, atob(privateKeyB64));
+        if (jwt.split('.').length !== 3)
+            return { ok: false, detail: 'malformed JWT' };
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, detail: err instanceof Error ? err.message : 'sign failed' };
+    }
+}

package/dist/index.d.ts

@@ -1,7 +1,7 @@
-export * from './auth';
 export * from './email';
 export * from './github';
 export * from './carta';
 export * from './content';
 export * from './adapter';
+export * from './render';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AACA,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAEA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,UAAU,CAAC"}