@glw907/cairn-cms 0.3.1 → 0.5.0

package/src/lib/render/registry.ts

@@ -0,0 +1,36 @@
+import type { Element } from 'hast';
+
+/** A site component: how it inserts (editor) and how it renders (rehype). */
+export interface ComponentDef {
+	/** Directive name, e.g. 'card' (matches `:::card`). */
+	name: string;
+	/** Palette label. */
+	label: string;
+	/** Palette description. */
+	description: string;
+	/** Markdown scaffold inserted at the cursor by the editor palette. */
+	insertTemplate: string;
+	/** Build the final hast element from the stamped directive element. */
+	build: (node: Element, rise?: string) => Element;
+	/** Optional role→default-icon (e.g. `{ caution: 'warning' }`). */
+	defaultIconByRole?: Record<string, string>;
+}
+
+export interface ComponentRegistry {
+	defs: ComponentDef[];
+	names: string[];
+	get(name: string): ComponentDef | undefined;
+	defaultIcon(name: string, role?: string): string | undefined;
+}
+
+/** Build a registry from a site's component definitions. The single source the
+ *  render pipeline (directive stamp + rehype dispatch) and the editor palette read. */
+export function defineRegistry(input: { components: ComponentDef[] }): ComponentRegistry {
+	const byName = new Map(input.components.map((c) => [c.name, c]));
+	return {
+		defs: input.components,
+		names: input.components.map((c) => c.name),
+		get: (name) => byName.get(name),
+		defaultIcon: (name, role) => (role ? byName.get(name)?.defaultIconByRole?.[role] : undefined),
+	};
+}

package/src/lib/render/rehype-dispatch.ts

@@ -0,0 +1,97 @@
+import type { Root, Element, ElementContent, Properties } from 'hast';
+import { h } from 'hastscript';
+import type { ComponentRegistry } from './registry';
+
+export function isElement(node: ElementContent | undefined): node is Element {
+	return !!node && node.type === 'element';
+}
+
+// hast Properties values are PropertyValue (string | number | boolean | array | null).
+// Directive markers (dataIcon/dataRole/dataPrimitive) are always stamped as strings;
+// this reads them back with that guarantee instead of casting at each call site.
+export function strProp(node: Element, name: string): string | undefined {
+	const value = node.properties?.[name];
+	return typeof value === 'string' ? value : undefined;
+}
+
+/** Wrap a pre-built glyph in an ec-icon span; secondary role adds the modifier. */
+export function iconSpan(glyphEl: Element, role?: string): Element {
+	const className = role === 'secondary' ? ['ec-icon', 'ec-icon-secondary'] : ['ec-icon'];
+	return h('span', { className }, [glyphEl]);
+}
+
+/** A site's icon factory: turn a stamped icon name + role into a hast element. */
+export type MakeIcon = (name: string, role?: string) => Element;
+
+// Pull the section's <h2> out, retag it .card-title, and build the .ec-head row
+// (optional icon + heading). Returns the head plus the remaining body children.
+// `makeIcon` (site-supplied) turns the stamped data-icon into an element; omit it
+// for a head with no icon.
+export function splitHead(node: Element, makeIcon?: MakeIcon): { head: Element; rest: ElementContent[] } {
+	const children = node.children as ElementContent[];
+	const i = children.findIndex((c) => isElement(c) && c.tagName === 'h2');
+	const h2 = children[i] as Element;
+	h2.properties = { ...h2.properties, className: ['card-title'] };
+	const rest = children.filter((_, j) => j !== i);
+	const icon = strProp(node, 'dataIcon');
+	const role = strProp(node, 'dataRole');
+	const headKids: ElementContent[] = [];
+	if (makeIcon && icon) headKids.push(makeIcon(icon, role));
+	headKids.push(h2);
+	return { head: h('div', { className: ['ec-head'] }, headKids), rest };
+}
+
+/** Section wrapper: `<section class=…><div class="card-body">…</div></section>`,
+ *  with an optional inline rise style. */
+export function cardShell(classes: string[], rise: string | undefined, body: ElementContent[]): Element {
+	const properties: Properties = { className: classes };
+	if (rise) properties.style = rise;
+	return h('section', properties, [h('div', { className: ['card-body'] }, body)]);
+}
+
+/** Tag the first <ul> among children with `ec-grid` and strip its whitespace-only
+ *  text nodes so the bare list serializes without newlines. Returns that <ul>. */
+export function markFirstList(children: ElementContent[]): Element | undefined {
+	const ul = children.find((c) => isElement(c) && c.tagName === 'ul') as Element | undefined;
+	if (ul) {
+		ul.properties = { ...ul.properties, className: ['ec-grid'] };
+		ul.children = (ul.children as ElementContent[]).filter(
+			(c) => !(c.type === 'text' && /^\s*$/.test(c.value)),
+		);
+	}
+	return ul;
+}
+
+// Recurse into a node's children, transforming any nested primitive sections
+// (a grid inside a card, panels inside a split) WITHOUT a rise stagger.
+function transformChildren(children: ElementContent[], registry: ComponentRegistry): ElementContent[] {
+	return children.map((c) => {
+		if (isElement(c) && c.properties?.dataPrimitive) return transformNode(c, registry);
+		if (isElement(c)) c.children = transformChildren(c.children as ElementContent[], registry);
+		return c;
+	});
+}
+
+function transformNode(node: Element, registry: ComponentRegistry, rise?: string): Element {
+	node.children = transformChildren(node.children as ElementContent[], registry);
+	const name = strProp(node, 'dataPrimitive');
+	const def = name ? registry.get(name) : undefined;
+	return def ? def.build(node, rise) : node;
+}
+
+/** Rehype transformer: dispatch each stamped element through its registry `build`
+ *  fn. Top-level primitives get a document-order rise stagger when `rise` is
+ *  supplied (a site's per-index motion formula); nested ones don't. Non-primitive
+ *  content (lede, intro paragraphs, the page-toc nav) passes through untouched. */
+export function rehypeDispatch(registry: ComponentRegistry, rise?: (idx: number) => string) {
+	return (tree: Root) => {
+		let idx = 0;
+		tree.children = (tree.children as ElementContent[]).map((child) => {
+			if (isElement(child) && child.properties?.dataPrimitive) {
+				return transformNode(child, registry, rise ? rise(idx++) : undefined);
+			}
+			if (isElement(child)) child.children = transformChildren(child.children as ElementContent[], registry);
+			return child;
+		});
+	};
+}

package/src/lib/render/remark-directives.ts

@@ -0,0 +1,71 @@
+import type { Paragraph, PhrasingContent, Root, Text } from 'mdast';
+import type { ContainerDirective, LeafDirective, TextDirective } from 'mdast-util-directive';
+import { visit } from 'unist-util-visit';
+import type { ComponentRegistry } from './registry';
+
+// Reconstruct a directive's authored attribute block (`{#id .class key="value"}`).
+// Accidental prose directives carry none, so this is almost always empty.
+function serializeAttributes(attributes?: Record<string, string | null | undefined> | null): string {
+	if (!attributes) return '';
+	const tokens: string[] = [];
+	for (const [key, value] of Object.entries(attributes)) {
+		if (value == null) tokens.push(key);
+		else if (key === 'id') tokens.push(`#${value}`);
+		else if (key === 'class') for (const c of value.split(/\s+/).filter(Boolean)) tokens.push(`.${c}`);
+		else tokens.push(`${key}="${value}"`);
+	}
+	return tokens.length ? `{${tokens.join(' ')}}` : '';
+}
+
+// The vocabulary is container-only (`:::name`). A text directive (`:name`) or
+// leaf directive (`::name`) is therefore always an accidental colon in prose
+// ("4:00", "9:30", "ratio 16:9") that micromark tokenized as a directive.
+// Restore it to its literal source text so prose renders verbatim.
+function restoreLiteral(node: TextDirective | LeafDirective): PhrasingContent[] {
+	const marker = node.type === 'leafDirective' ? '::' : ':';
+	const attrs = serializeAttributes(node.attributes);
+	if (node.children.length === 0) {
+		return [{ type: 'text', value: marker + node.name + attrs }];
+	}
+	const open: Text = { type: 'text', value: `${marker}${node.name}[` };
+	const close: Text = { type: 'text', value: `]${attrs}` };
+	return [open, ...(node.children as PhrasingContent[]), close];
+}
+
+// Stamp each registered container directive with data-* markers carrying its
+// component name, icon, and role. No structure is built here; the rehype
+// dispatcher rewrites the marked elements once their children are hast.
+// Text and leaf directives are restored to literal text (accidental prose colons).
+export function remarkDirectiveStamp(registry: ComponentRegistry) {
+	const known = new Set(registry.names);
+	return (tree: Root) => {
+		visit(tree, 'containerDirective', (node: ContainerDirective) => {
+			if (!known.has(node.name)) return;
+			const attrs = node.attributes ?? {};
+			const role = attrs.role || undefined;
+			let icon = attrs.icon || undefined;
+			if (!icon && role) icon = registry.defaultIcon(node.name, role);
+
+			const properties: Record<string, string> = { dataPrimitive: node.name };
+			if (icon) properties.dataIcon = icon;
+			if (role) properties.dataRole = role;
+
+			const data = node.data ?? (node.data = {});
+			data.hName = 'div';
+			data.hProperties = properties;
+		});
+
+		visit(tree, ['textDirective', 'leafDirective'], (node, index, parent) => {
+			if (!parent || index == null) return;
+			const literal = restoreLiteral(node as TextDirective | LeafDirective);
+			if (node.type === 'leafDirective') {
+				// Leaf directives sit at block level; wrap the restored text in a paragraph.
+				const paragraph: Paragraph = { type: 'paragraph', children: literal };
+				parent.children.splice(index, 1, paragraph);
+			} else {
+				parent.children.splice(index, 1, ...literal);
+			}
+			return index;
+		});
+	};
+}

package/src/lib/sveltekit/index.ts

@@ -1,41 +1,30 @@
-// cairn-core: the SvelteKit route server logic, extracted so each site's `admin/**` route
-// files are thin shims (`export const load = (event) => editLoad(event, cairn)`).
+// cairn-core: the SvelteKit content-route server logic, extracted so each site's `admin/**`
+// route files are thin shims (`export const load = (event) => editLoad(event, cairn)`).
 //
 // SvelteKit's filesystem routing requires the route *files* to live in each site's
-// `src/routes/`, but their bodies are identical across sites — only the adapter differs.
+// `src/routes/`, but their bodies are identical across sites. Only the adapter differs.
 // These functions take the SvelteKit event (typed structurally, to avoid depending on the
 // site-generated `App.*` ambient types) plus the site `CairnAdapter`, and throw
-// `redirect`/`error` from `@sveltejs/kit`. That `@sveltejs/kit` is a peer dependency so the
-// thrown objects share class identity with the host's runtime (else the redirect 500s).
-import { redirect, error, type Cookies } from '@sveltejs/kit';
-import type { KVNamespace } from '@cloudflare/workers-types';
+// `redirect`/`error` from `@sveltejs/kit` (a peer dependency, so the thrown objects share
+// class identity with the host's runtime; otherwise the redirect 500s). Auth/session/manage-editors
+// logic lives under `@glw907/cairn-cms/auth`; this module is content-only (list/edit/save).
+import { redirect, error } from '@sveltejs/kit';
 import matter from 'gray-matter';
+import type { CairnUser } from '../auth/guard';
 import {
-  createMagicLink,
-  redeemMagicToken,
-  createSession,
-  lookupEditor,
-  listEditors,
-  setEditor,
-  removeEditor,
-  SESSION_COOKIE,
-  SESSION_MAX_AGE,
-  type Editor,
-  type Role,
-} from '../auth';
-import { sendMagicLink, type EmailSender } from '../email';
-import { listMarkdown, readRaw, commitFile, installationToken, type RepoFile } from '../github';
+  listMarkdown,
+  readRaw,
+  commitFile,
+  installationToken,
+  signingSelfTest,
+  CommitConflictError,
+  type RepoFile,
+} from '../github';
 import { serializeMarkdown } from '../content';
 import { findCollection, frontmatterFromForm, type CairnAdapter, type CairnField } from '../adapter';
 
-/** The `platform.env` bindings the admin routes read. All optional — the handlers guard. */
+/** The `platform.env` bindings the content routes read. All optional; the handlers guard. */
 export interface AdminEnv {
-  AUTH_KV?: KVNamespace;
-  MAGIC_LINK_SECRET?: string;
-  SESSION_SECRET?: string;
-  EMAIL?: EmailSender;
-  /** Overrides `url.origin` for the magic-link base (set in dev, unset in prod). */
-  PUBLIC_ORIGIN?: string;
   GITHUB_APP_ID?: string;
   GITHUB_APP_INSTALLATION_ID?: string;
   GITHUB_APP_PRIVATE_KEY_B64?: string;
@@ -45,13 +34,11 @@ interface PlatformEvent {
   platform?: { env?: AdminEnv };
 }
 
-const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
-
 /**
  * Mint a GitHub App installation token for *reads* when the App is configured, else undefined
  * (reads then fall back to anonymous). Authenticated reads get the 5000/hr limit; anonymous
  * reads share GitHub's 60/hr-per-IP budget across Cloudflare's egress IPs, so they 403 in prod.
- * A mint failure degrades gracefully to anonymous rather than 500ing — unlike the commit path,
+ * A mint failure degrades gracefully to anonymous rather than 500ing. Unlike the commit path,
  * where a missing App is fatal, a read can still succeed unauthenticated.
  */
 async function readToken(env: AdminEnv | undefined): Promise<string | undefined> {
@@ -73,23 +60,23 @@ async function readToken(env: AdminEnv | undefined): Promise<string | undefined>
 // ── /admin layout ──────────────────────────────────────────────────────────
 
 export interface AdminLayoutData {
-  editor: Editor | null;
+  user: CairnUser | null;
   siteName: string;
   pathname: string;
 }
 
 /**
  * Branding + session for every admin page. `siteName` flows from the adapter without pulling
- * its plugin graph into client bundles — the import stays server-side in the layout load.
+ * its plugin graph into client bundles; the import stays server-side in the layout load.
  * `pathname` lets the shared shell highlight the active nav item without a `$app/*` import
  * (those kit virtual modules have no types outside a kit app, so they can't live in the
  * package); reading `event.url` here also opts the layout load into rerunning on navigation.
  */
 export function adminLayoutLoad(
-  event: { locals: { editor: Editor | null }; url: URL },
+  event: { locals: { user: CairnUser | null }; url: URL },
   adapter: CairnAdapter,
 ): AdminLayoutData {
-  return { editor: event.locals.editor, siteName: adapter.siteName, pathname: event.url.pathname };
+  return { user: event.locals.user, siteName: adapter.siteName, pathname: event.url.pathname };
 }
 
 // ── /admin (content list) ────────────────────────────────────────────────────
@@ -120,20 +107,6 @@ export async function adminListLoad(
   return { collections };
 }
 
-// ── /admin/login ──────────────────────────────────────────────────────────────
-
-export interface LoginData {
-  sent: boolean;
-  error: string | null;
-}
-
-export function loginLoad(event: { url: URL }): LoginData {
-  return {
-    sent: event.url.searchParams.get('sent') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
-
 // ── /admin/edit/[type]/[id] ─────────────────────────────────────────────────
 
 export interface EditData {
@@ -179,92 +152,14 @@ export async function editLoad(
   };
 }
 
-// ── /admin/auth/request (POST) ──────────────────────────────────────────────
-
-export async function authRequest(
-  event: PlatformEvent & { request: Request; url: URL },
-  adapter: CairnAdapter,
-): Promise<never> {
-  const env = event.platform?.env;
-  if (!env?.AUTH_KV || !env.MAGIC_LINK_SECRET || !env.EMAIL) {
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  if (!EMAIL_RE.test(email)) {
-    throw redirect(303, '/admin/login?error=invalid');
-  }
-
-  const editor = await lookupEditor(email, env.AUTH_KV);
-  if (!editor) {
-    throw redirect(303, '/admin/login?error=denied');
-  }
-
-  const token = await createMagicLink(email, env.MAGIC_LINK_SECRET, env.AUTH_KV);
-  // PUBLIC_ORIGIN overrides url.origin for local dev (where wrangler's custom-domain
-  // route makes url.origin the production host); unset in prod → url.origin is correct.
-  const origin = env.PUBLIC_ORIGIN || event.url.origin;
-  const link = `${origin}/admin/auth/callback?token=${encodeURIComponent(token)}`;
-  try {
-    await sendMagicLink(env.EMAIL, email, link, adapter.siteName, adapter.sender);
-  } catch (err) {
-    console.error('magic-link send failed:', err);
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  throw redirect(303, '/admin/login?sent=1');
-}
-
-// ── /admin/auth/callback (GET) ──────────────────────────────────────────────
-
-export async function authCallback(
-  event: PlatformEvent & { url: URL; cookies: Cookies },
-): Promise<never> {
-  const env = event.platform?.env;
-  if (!env?.AUTH_KV || !env.MAGIC_LINK_SECRET || !env.SESSION_SECRET) {
-    throw redirect(303, '/admin/login?error=config');
-  }
-
-  const token = event.url.searchParams.get('token') ?? '';
-  const email = await redeemMagicToken(token, env.MAGIC_LINK_SECRET, env.AUTH_KV);
-  if (!email) {
-    throw redirect(303, '/admin/login?error=expired');
-  }
-
-  // Re-check the allowlist at redemption — membership may have changed since issue.
-  const editor = await lookupEditor(email, env.AUTH_KV);
-  if (!editor) {
-    throw redirect(303, '/admin/login?error=denied');
-  }
-
-  const session = await createSession(editor, env.SESSION_SECRET);
-  event.cookies.set(SESSION_COOKIE, session, {
-    path: '/',
-    httpOnly: true,
-    secure: event.url.protocol === 'https:',
-    sameSite: 'lax',
-    maxAge: SESSION_MAX_AGE,
-  });
-
-  throw redirect(303, '/admin');
-}
-
-// ── /admin/auth/logout (POST) ───────────────────────────────────────────────
-
-export function logout(event: { cookies: Cookies }): never {
-  event.cookies.delete(SESSION_COOKIE, { path: '/' });
-  throw redirect(303, '/admin/login');
-}
-
 // ── /admin/save (POST) ──────────────────────────────────────────────────────
 
 export async function saveCommit(
-  event: PlatformEvent & { request: Request; locals: { editor: Editor | null } },
+  event: PlatformEvent & { request: Request; locals: { user: CairnUser | null } },
   adapter: CairnAdapter,
 ): Promise<never> {
-  const editor = event.locals.editor;
-  if (!editor) throw error(401, 'Not signed in');
+  const user = event.locals.user;
+  if (!user) throw error(401, 'Not signed in');
 
   const env = event.platform?.env;
   if (!env?.GITHUB_APP_ID || !env.GITHUB_APP_INSTALLATION_ID || !env.GITHUB_APP_PRIVATE_KEY_B64) {
@@ -295,109 +190,46 @@ export async function saveCommit(
     privateKeyB64: env.GITHUB_APP_PRIVATE_KEY_B64,
   });
 
-  await commitFile(
-    adapter.backend,
-    `${collection.dir}/${id}.md`,
-    markdown,
-    { message: `Update ${collection.label.toLowerCase()}: ${id}`, author: { name: editor.name, email: editor.email } },
-    token,
-  );
+  try {
+    await commitFile(
+      adapter.backend,
+      `${collection.dir}/${id}.md`,
+      markdown,
+      { message: `Update ${collection.label.toLowerCase()}: ${id}`, author: { name: user.name, email: user.email } },
+      token,
+    );
+  } catch (err) {
+    // Concurrent-edit 409 (C3): fail safe. Bounce back with a reload prompt; the editor reloads
+    // the current version and reapplies. Any other error is unexpected, so rethrow.
+    if (err instanceof CommitConflictError) {
+      const message = 'This file changed since you opened it. Reload and reapply your edits.';
+      throw redirect(303, `/admin/edit/${type}/${id}?error=${encodeURIComponent(message)}`);
+    }
+    throw err;
+  }
 
   throw redirect(303, `/admin/edit/${type}/${id}?saved=1`);
 }
 
-// ── /admin/admins (owner-gated editor management) ────────────────────────────
-
-/**
- * The privilege-escalation gate for the manage-admins surface: only `owner`s may load it or
- * run its actions. Returns the acting owner (so callers can guard self-targeted mutations).
- */
-function requireOwner(event: { locals: { editor: Editor | null } }): Editor {
-  const editor = event.locals.editor;
-  if (!editor) throw error(401, 'Not signed in');
-  if (editor.role !== 'owner') throw error(403, 'Owner access required');
-  return editor;
-}
-
-/** Resolve AUTH_KV or fail loudly — the management surface is useless without it. */
-function ownerKv(event: PlatformEvent): KVNamespace {
-  const kv = event.platform?.env?.AUTH_KV;
-  if (!kv) throw error(500, 'Editor allowlist is not configured');
-  return kv;
-}
-
-export interface AdminsData {
-  admins: Editor[];
-  /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
-  self: string;
-  saved: boolean;
-  error: string | null;
-}
-
-/** List the allowlist for the manage-admins page. Owner-only. */
-export async function adminsLoad(
-  event: PlatformEvent & { locals: { editor: Editor | null }; url: URL },
-): Promise<AdminsData> {
-  const owner = requireOwner(event);
-  const admins = await listEditors(ownerKv(event));
-  return {
-    admins,
-    self: owner.email,
-    saved: event.url.searchParams.get('saved') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
+// ── /admin/healthz (GET) ──────────────────────────────────────────────────────
 
-type AdminsActionEvent = PlatformEvent & {
-  request: Request;
-  locals: { editor: Editor | null };
-};
-
-function parseRole(value: unknown): Role {
-  return value === 'owner' ? 'owner' : 'editor';
-}
-
-/** Add (or update) an allowlist entry. Owner-only. */
-export async function addAdmin(event: AdminsActionEvent): Promise<never> {
-  requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const name = String(form.get('name') ?? '').trim();
-  if (!EMAIL_RE.test(email) || !name) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
-  }
-  await setEditor(email, name, parseRole(form.get('role')), kv);
-  throw redirect(303, '/admin/admins?saved=1');
+export interface HealthData {
+  ok: boolean;
+  checks: { githubAppSigning: { ok: boolean; detail?: string } };
 }
 
-/** Remove an allowlist entry. Owner-only; owners can't remove themselves (anti-lockout). */
-export async function removeAdmin(event: AdminsActionEvent): Promise<never> {
-  const owner = requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  if (email === owner.email) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
-  }
-  await removeEditor(email, kv);
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export async function setAdminRole(event: AdminsActionEvent): Promise<never> {
-  const owner = requireOwner(event);
-  const kv = ownerKv(event);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const role = parseRole(form.get('role'));
-  if (email === owner.email && role !== 'owner') {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
-  }
-  const existing = await lookupEditor(email, kv);
-  if (!existing) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
+/**
+ * Deploy-time health check (M2): signs a dummy App JWT to prove the GitHub App key loads and
+ * the PKCS#1→PKCS#8 conversion still works, before an editor hits it on save. Behind the
+ * `/admin` guard (signed-in editors only); returns ok/fail with no secret in the body.
+ */
+export async function healthLoad(event: PlatformEvent): Promise<HealthData> {
+  const env = event.platform?.env;
+  let githubAppSigning: { ok: boolean; detail?: string };
+  if (env?.GITHUB_APP_ID && env.GITHUB_APP_PRIVATE_KEY_B64) {
+    githubAppSigning = await signingSelfTest(env.GITHUB_APP_ID, env.GITHUB_APP_PRIVATE_KEY_B64);
+  } else {
+    githubAppSigning = { ok: false, detail: 'GitHub App not configured' };
   }
-  await setEditor(email, existing.name, role, kv);
-  throw redirect(303, '/admin/admins?saved=1');
+  return { ok: githubAppSigning.ok, checks: { githubAppSigning } };
 }

package/src/lib/utils.ts

@@ -1,11 +1,11 @@
 // cairn-core: internal encoding helpers shared across modules.
 //
-// Deliberately NOT re-exported from index.ts — these are implementation details of the
+// Deliberately NOT re-exported from index.ts. These are implementation details of the
 // auth/github crypto, not part of the public API (auth.ts signs tokens, github.ts builds
 // the App JWT; both need base64url). Keeping them here stops bytesToB64url leaking through
 // the `export *` barrel.
 
-/** Encode bytes as unpadded base64url (RFC 4648 §5) — the JWT/token wire format. */
+/** Encode bytes as unpadded base64url (RFC 4648 §5), the JWT/token wire format. */
 export function bytesToB64url(bytes: Uint8Array): string {
   const binary = Array.from(bytes, (b) => String.fromCharCode(b)).join('');
   return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');

package/dist/auth.d.ts

@@ -1,25 +0,0 @@
-import type { KVNamespace } from '@cloudflare/workers-types';
-/** Two-tier, per-site role. `owner`s manage the editor allowlist; `editor`s only edit content. */
-export type Role = 'owner' | 'editor';
-export interface Editor {
-    email: string;
-    name: string;
-    role: Role;
-}
-export declare const SESSION_COOKIE = "cairn_session";
-export declare const SESSION_MAX_AGE: number;
-/** Issue a single-use magic-link token and register its nonce in KV with a TTL. */
-export declare function createMagicLink(email: string, secret: string, kv: KVNamespace): Promise<string>;
-/** Redeem a magic-link token: verify, check expiry, then consume the KV nonce (single use). */
-export declare function redeemMagicToken(token: string, secret: string, kv: KVNamespace): Promise<string | null>;
-export declare function createSession(editor: Editor, secret: string): Promise<string>;
-export declare function verifySession(token: string, secret: string): Promise<Editor | null>;
-/** Look up an editor in the KV allowlist (`editor:<email>` → `{name, role}`). */
-export declare function lookupEditor(email: string, kv: KVNamespace): Promise<Editor | null>;
-/** Every allowlisted editor, sorted by email — the manage-admins list. */
-export declare function listEditors(kv: KVNamespace): Promise<Editor[]>;
-/** Add or update an allowlist entry (JSON value). Email is normalized. */
-export declare function setEditor(email: string, name: string, role: Role, kv: KVNamespace): Promise<void>;
-/** Remove an allowlist entry. */
-export declare function removeEditor(email: string, kv: KVNamespace): Promise<void>;
-//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAG7D,kGAAkG;AAClG,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEtC,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,eAAO,MAAM,cAAc,kBAAkB,CAAC;AAK9C,eAAO,MAAM,eAAe,QAAsB,CAAC;AA8DnD,mFAAmF;AACnF,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED,+FAA+F;AAC/F,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAOxB;AAMD,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnF;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF;AAyBD,iFAAiF;AACjF,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKzF;AAED,0EAA0E;AAC1E,wBAAsB,WAAW,CAAC,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CASpE;AAED,0EAA0E;AAC1E,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,IAAI,EACV,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,IAAI,CAAC,CAEf;AAED,iCAAiC;AACjC,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAEhF"}