@glw907/cairn-cms 0.37.1 → 0.38.0

package/CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project are recorded here, most recent first.
 
+## 0.38.0
+
+The magic-link send is now awaited rather than fire-and-forget, so a delivery failure reaches the
+login response instead of being swallowed. `requestAction` returns a `status` discriminant
+(`sent` | `send_error` | `throttled`) alongside the existing `sent` boolean, and `LoginPage` renders
+a send-error and a throttled state. The `auth.link.send_failed` log record gains a `code` (the
+Cloudflare binding error code) and a `conditionId` (the mapped diagnostic condition).
+
+Consumers may: read `form.status` to render the new states. A site rendering against `form.sent` is
+unaffected, since `sent` is unchanged.
+
 ## 0.37.1
 
 Internal groundwork and a docs overhaul; nothing in the public surface or runtime behavior

package/dist/components/LoginPage.svelte

@@ -17,8 +17,9 @@ the allowlist, so the page never leaks membership (spec §7.1).
   interface Props {
     /** The login load's data: the site name, an optional error, and the CSRF token. */
     data: { siteName: string; error: string | null; csrf: string };
-    /** The action result: `sent` is true once a request was accepted. */
-    form: { sent?: boolean } | null;
+    /** The action result. `sent` is true once a request was accepted; `status` discriminates the
+     * neutral, send-error, and throttled outcomes. */
+    form: { sent?: boolean; status?: 'sent' | 'send_error' | 'throttled' } | null;
   }
 
   let { data, form }: Props = $props();
@@ -52,7 +53,7 @@ the allowlist, so the page never leaks membership (spec §7.1).
 <div data-theme="cairn-admin" bind:this={rootEl}>
   <div class="flex min-h-screen flex-col items-center justify-center gap-6 bg-base-200 p-4 text-base-content">
   <div class="w-full max-w-sm rounded-box border border-[var(--cairn-card-border)] bg-base-100 p-7 shadow-[var(--cairn-shadow)]">
-    {#if form?.sent && !dismissed}
+    {#if (form?.status === 'sent' || form?.sent) && !dismissed}
       <!-- The confirmation is a centered moment: brand, then the mail mark, heading, and one line of
            instruction. The fallback help sits in a gentle inset note below. -->
       <div role="status" class="flex flex-col items-center text-center">
@@ -86,7 +87,18 @@ the allowlist, so the page never leaks membership (spec §7.1).
       <div class="mb-6 flex justify-center">{@render brand()}</div>
       <h1 class="text-center text-lg font-semibold">Sign in to {data.siteName}</h1>
       <p class="mt-1 mb-5 text-center text-sm text-[var(--color-muted)]">Enter your email. We'll send a one-time sign-in link.</p>
-      {#if data.error}
+      {#if form?.status === 'send_error'}
+        <div role="alert" class="alert alert-warning mb-3 text-sm">
+          We're having trouble sending sign-in links right now. Please contact the site owner.
+        </div>
+      {:else if form?.status === 'throttled'}
+        <div role="status" class="alert mb-3 text-sm">
+          You requested a link recently. Check your inbox, or wait a minute and try again.
+        </div>
+      {/if}
+      <!-- A fresh action result supersedes the GET-time error, so a resubmit into a throttle or a
+           send failure never shows the stale expired-link alert alongside the new state. -->
+      {#if data.error && !form?.status}
         <div role="alert" class="alert alert-error mb-3 text-sm">That link expired. Request a new one below.</div>
       {/if}
       <form method="POST" class="flex flex-col gap-3">

package/dist/components/LoginPage.svelte.d.ts

@@ -6,9 +6,11 @@ interface Props {
         error: string | null;
         csrf: string;
     };
-    /** The action result: `sent` is true once a request was accepted. */
+    /** The action result. `sent` is true once a request was accepted; `status` discriminates the
+     * neutral, send-error, and throttled outcomes. */
     form: {
         sent?: boolean;
+        status?: 'sent' | 'send_error' | 'throttled';
     } | null;
 }
 /**

package/dist/diagnostics/conditions.js

@@ -23,6 +23,22 @@ const REGISTRY = {
         remediation: 'Post the form from the same origin, or check a proxy that strips or rewrites the Origin header.',
         logEvent: 'guard.rejected',
     },
+    'email.sender-not-onboarded': {
+        id: 'email.sender-not-onboarded',
+        severity: 'blocker',
+        title: 'Email sending domain is not onboarded',
+        why: 'The from-address domain has no enabled Cloudflare sending subdomain, so env.EMAIL.send has no aligned sender and the magic-link send throws E_SENDER_NOT_VERIFIED. No editor can sign in.',
+        remediation: 'Onboard the sending domain with `wrangler email sending enable <domain>`, then re-deploy. The domain must match branding.from.',
+        logEvent: 'auth.link.send_failed',
+    },
+    'email.send-failed': {
+        id: 'email.send-failed',
+        severity: 'blocker',
+        title: 'Magic-link email send failed',
+        why: 'The magic-link send threw for a reason other than a missing sender onboarding (a delivery error, a binding misconfiguration, or a custom sender failure), so the editor never received a link.',
+        remediation: 'Read the auth.link.send_failed log record (the code and error fields) in Workers Logs, and check the EMAIL binding and the sender configuration.',
+        logEvent: 'auth.link.send_failed',
+    },
 };
 /** Resolve a condition by id. Throws on an unknown id, since ids are compile-time constants. */
 export function condition(id) {

package/dist/email.d.ts

@@ -1,4 +1,5 @@
 import type { AuthEnv } from './auth/types.js';
+import { CairnError } from './diagnostics/index.js';
 export type { AuthEnv };
 /** The message a built magic-link email carries. */
 export interface MagicLinkMessage {
@@ -14,7 +15,9 @@ export interface AuthBranding {
     from: string;
     replyTo?: string;
 }
-/** The injected send. Production uses `cloudflareSend`; tests pass a sink. */
+/** The injected send. Production uses `cloudflareSend`; tests pass a sink. A thrown error's
+ *  text reaches the structured log (scrubbed and truncated), so a custom sender must not embed
+ *  the message body or the magic link in what it throws. */
 export type SendMagicLink = (env: AuthEnv, message: MagicLinkMessage) => Promise<void>;
 /** Build the confirmation email. The link is the only action; the copy stays plain. */
 export declare function buildMagicLinkMessage(input: {
@@ -24,3 +27,19 @@ export declare function buildMagicLinkMessage(input: {
 }): MagicLinkMessage;
 /** The production send: Cloudflare Email Sending through the EMAIL binding. */
 export declare const cloudflareSend: SendMagicLink;
+/**
+ * Read the E_* code a Cloudflare Email Sending binding error carries (E_SENDER_NOT_VERIFIED,
+ * E_DELIVERY_FAILED, and the rest of the set). The structured `code` property is the documented
+ * shape, but it is unproven against the live binding, so a code embedded in the message is read as
+ * a fallback. A custom injected sender that throws a plain Error has neither, so this returns
+ * undefined and the record still logs cleanly.
+ */
+export declare function errorCode(err: unknown): string | undefined;
+/**
+ * Map a magic-link send failure to its registered diagnostic condition, carrying the original error
+ * as the cause. The not-verified code is the onboarding gap (the ecxc fault); the live binding has
+ * also been observed throwing the bare "not a verified address" string with no code, so that
+ * message maps to the same condition. Everything else is the generic send failure. The caller logs
+ * the conditionId and code, and returns a send_error status.
+ */
+export declare function emailSendFailure(err: unknown): CairnError;

package/dist/email.js

@@ -1,3 +1,4 @@
+import { CairnError } from './diagnostics/index.js';
 /** Escape the five HTML-significant characters. */
 function escapeHtml(value) {
     return value
@@ -23,3 +24,27 @@ export const cloudflareSend = async (env, message) => {
         throw new Error('EMAIL binding is not configured');
     await env.EMAIL.send(message);
 };
+/**
+ * Read the E_* code a Cloudflare Email Sending binding error carries (E_SENDER_NOT_VERIFIED,
+ * E_DELIVERY_FAILED, and the rest of the set). The structured `code` property is the documented
+ * shape, but it is unproven against the live binding, so a code embedded in the message is read as
+ * a fallback. A custom injected sender that throws a plain Error has neither, so this returns
+ * undefined and the record still logs cleanly.
+ */
+export function errorCode(err) {
+    if (typeof err === 'object' && err !== null && 'code' in err && typeof err.code === 'string') {
+        return err.code;
+    }
+    return String(err).match(/\bE_[A-Z][A-Z_]*\b/)?.[0];
+}
+/**
+ * Map a magic-link send failure to its registered diagnostic condition, carrying the original error
+ * as the cause. The not-verified code is the onboarding gap (the ecxc fault); the live binding has
+ * also been observed throwing the bare "not a verified address" string with no code, so that
+ * message maps to the same condition. Everything else is the generic send failure. The caller logs
+ * the conditionId and code, and returns a send_error status.
+ */
+export function emailSendFailure(err) {
+    const onboarding = errorCode(err) === 'E_SENDER_NOT_VERIFIED' || String(err).includes('not a verified address');
+    return new CairnError(onboarding ? 'email.sender-not-onboarded' : 'email.send-failed', { cause: err });
+}

package/dist/sveltekit/auth-routes.d.ts

@@ -4,15 +4,28 @@ export interface AuthRoutesConfig {
     branding: AuthBranding;
     send?: SendMagicLink;
 }
+/**
+ * The request-action result. `status` is the discriminant; `sent` is kept for a site rendering its
+ * own form against `form.sent`, so the field is additive. The neutral and send-ok paths return the
+ * identical `{ status: 'sent', sent: true }`, so the common case never leaks allowlist membership.
+ */
+export type RequestResult = {
+    status: 'sent';
+    sent: true;
+} | {
+    status: 'send_error';
+    sent: false;
+} | {
+    status: 'throttled';
+    sent: false;
+};
 export declare function createAuthRoutes(config: AuthRoutesConfig): {
     loginLoad: (event: RequestContext) => {
         siteName: string;
         error: string | null;
         csrf: string;
     };
-    requestAction: (event: RequestContext) => Promise<{
-        sent: true;
-    }>;
+    requestAction: (event: RequestContext) => Promise<RequestResult>;
     confirmLoad: (event: RequestContext) => {
         token: string;
         siteName: string;

package/dist/sveltekit/auth-routes.js

@@ -5,15 +5,26 @@ import { redirect } from '@sveltejs/kit';
 import { requireOrigin, requireDb } from '../env.js';
 import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, SEND_COOLDOWN_MS, sessionCookieName, } from '../auth/crypto.js';
 import { findEditor, issueToken, consumeToken, createSession, deleteSession, recentlyIssued } from '../auth/store.js';
-import { buildMagicLinkMessage, cloudflareSend } from '../email.js';
+import { buildMagicLinkMessage, cloudflareSend, emailSendFailure, errorCode } from '../email.js';
 import { issueCsrfToken } from './csrf.js';
 import { log } from '../log/index.js';
+/**
+ * The loggable form of a send failure. The engine's own senders throw clean errors, but `send` is
+ * an injection seam, and a custom sender's thrown error may embed the failed message and with it
+ * the magic link. Scrub any token query value and cap the length, so the documented "records never
+ * carry a token" guarantee holds for the seam too.
+ */
+function scrubSendError(err) {
+    return String(err)
+        .replace(/([?&]token=)[^&\s"'<]+/g, '$1[redacted]')
+        .slice(0, 300);
+}
 export function createAuthRoutes(config) {
     const send = config.send ?? cloudflareSend;
     /**
-     * POST /admin/auth/request. Looks the email up in the allowlist; on a match, issues a token
-     * and emails the confirmation link. The response is identical whether or not the email is
-     * allow-listed, so the endpoint never leaks membership.
+     * POST /admin/auth/request. Looks the email up in the allowlist; on a match, issues a token,
+     * emails the confirmation link, and awaits the send so the status reflects its outcome. The
+     * neutral and send-ok responses are identical, so the common case never leaks membership.
      */
     async function requestAction(event) {
         const env = event.platform?.env ?? {};
@@ -26,31 +37,39 @@ export function createAuthRoutes(config) {
         // fits well under this; only a junk payload is truncated.
         log.info('auth.link.requested', { email: email.slice(0, 320) });
         const editor = email ? await findEditor(db, email) : null;
-        if (editor) {
-            const now = Date.now();
-            // Per-email cooldown: skip the reissue and send when a token for this email was issued within
-            // the window, so the endpoint cannot flood an editor's inbox. The response is unchanged, so
-            // the non-leak property holds.
-            if (!(await recentlyIssued(db, email, now - SEND_COOLDOWN_MS))) {
-                const token = generateToken();
-                await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
-                log.info('auth.token.minted', { email, expiresAt: now + TOKEN_TTL_MS });
-                const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-                // The token row is the security-critical write the email depends on, so it is awaited. The
-                // send is a post-response side effect, handed to waitUntil so a slow email provider does not
-                // hold the response. An absent waitUntil (local dev, tests) falls back to await. A send
-                // failure is logged so observability survives a backgrounded send.
-                const sending = send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link })).catch((err) => log.error('auth.link.send_failed', { email, error: String(err) }));
-                // adapter-cloudflare exposes the ExecutionContext as platform.ctx; platform.context is a
-                // deprecated alias kept as a fallback so an adapter that drops it keeps backgrounding.
-                const ctx = event.platform?.ctx ?? event.platform?.context;
-                if (ctx?.waitUntil)
-                    ctx.waitUntil(sending);
-                else
-                    await sending;
-            }
+        // Non-editor: byte-identical to the editor send-ok path, so the response body never leaks
+        // membership. Response timing still differs (the editor path awaits the send), the side-channel
+        // the design accepts as strictly weaker than the explicit throttled signal below.
+        if (!editor)
+            return { status: 'sent', sent: true };
+        const now = Date.now();
+        // Per-email cooldown: an editor who requested within the window gets the throttled signal rather
+        // than a second email. This reveals editor membership, the deliberate relaxed-non-leak posture.
+        if (await recentlyIssued(db, email, now - SEND_COOLDOWN_MS)) {
+            return { status: 'throttled', sent: false };
+        }
+        const token = generateToken();
+        await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
+        log.info('auth.token.minted', { email, expiresAt: now + TOKEN_TTL_MS });
+        const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
+        // The token row is the security-critical write the email depends on, so it is awaited first.
+        // The send is now awaited too (no waitUntil backgrounding), so its outcome drives the response:
+        // confirm the link went out before telling an editor to check their inbox. The cost is one
+        // email-API round trip on the login POST, the right trade for a login flow.
+        try {
+            await send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link }));
+        }
+        catch (err) {
+            // Map the binding failure to its registered condition (carried as a CairnError with the
+            // original as cause), and log the greppable code plus the conditionId so the next onboarding
+            // gap reads straight to its fix. The editor sees only a generic message, never this detail.
+            const failure = emailSendFailure(err);
+            log.error('auth.link.send_failed', { email, error: scrubSendError(err), code: errorCode(err), conditionId: failure.conditionId });
+            // A plain 200 with a status field, not fail(): the result stays one uniform union for the
+            // page, and the failure is already observable through the error-level log record.
+            return { status: 'send_error', sent: false };
         }
-        return { sent: true };
+        return { status: 'sent', sent: true };
     }
     /** GET /admin/login. Public. Carries the site name, an optional `?error`, and the CSRF token. */
     function loginLoad(event) {

package/dist/sveltekit/index.d.ts

@@ -1,5 +1,5 @@
 export { createAuthGuard, requireSession, requireOwner } from './guard.js';
-export { createAuthRoutes, type AuthRoutesConfig } from './auth-routes.js';
+export { createAuthRoutes, type AuthRoutesConfig, type RequestResult } from './auth-routes.js';
 export { createEditorRoutes } from './editors-routes.js';
 export { createContentRoutes } from './content-routes.js';
 export type { NavConcept, LayoutData, EntrySummary, ListData, EditData, ContentEvent, ContentRoutesDeps, } from './content-routes.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.37.1",
+  "version": "0.38.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "sideEffects": [

package/src/lib/components/LoginPage.svelte

@@ -17,8 +17,9 @@ the allowlist, so the page never leaks membership (spec §7.1).
   interface Props {
     /** The login load's data: the site name, an optional error, and the CSRF token. */
     data: { siteName: string; error: string | null; csrf: string };
-    /** The action result: `sent` is true once a request was accepted. */
-    form: { sent?: boolean } | null;
+    /** The action result. `sent` is true once a request was accepted; `status` discriminates the
+     * neutral, send-error, and throttled outcomes. */
+    form: { sent?: boolean; status?: 'sent' | 'send_error' | 'throttled' } | null;
   }
 
   let { data, form }: Props = $props();
@@ -52,7 +53,7 @@ the allowlist, so the page never leaks membership (spec §7.1).
 <div data-theme="cairn-admin" bind:this={rootEl}>
   <div class="flex min-h-screen flex-col items-center justify-center gap-6 bg-base-200 p-4 text-base-content">
   <div class="w-full max-w-sm rounded-box border border-[var(--cairn-card-border)] bg-base-100 p-7 shadow-[var(--cairn-shadow)]">
-    {#if form?.sent && !dismissed}
+    {#if (form?.status === 'sent' || form?.sent) && !dismissed}
       <!-- The confirmation is a centered moment: brand, then the mail mark, heading, and one line of
            instruction. The fallback help sits in a gentle inset note below. -->
       <div role="status" class="flex flex-col items-center text-center">
@@ -86,7 +87,18 @@ the allowlist, so the page never leaks membership (spec §7.1).
       <div class="mb-6 flex justify-center">{@render brand()}</div>
       <h1 class="text-center text-lg font-semibold">Sign in to {data.siteName}</h1>
       <p class="mt-1 mb-5 text-center text-sm text-[var(--color-muted)]">Enter your email. We'll send a one-time sign-in link.</p>
-      {#if data.error}
+      {#if form?.status === 'send_error'}
+        <div role="alert" class="alert alert-warning mb-3 text-sm">
+          We're having trouble sending sign-in links right now. Please contact the site owner.
+        </div>
+      {:else if form?.status === 'throttled'}
+        <div role="status" class="alert mb-3 text-sm">
+          You requested a link recently. Check your inbox, or wait a minute and try again.
+        </div>
+      {/if}
+      <!-- A fresh action result supersedes the GET-time error, so a resubmit into a throttle or a
+           send failure never shows the stale expired-link alert alongside the new state. -->
+      {#if data.error && !form?.status}
         <div role="alert" class="alert alert-error mb-3 text-sm">That link expired. Request a new one below.</div>
       {/if}
       <form method="POST" class="flex flex-col gap-3">

package/src/lib/diagnostics/conditions.ts

@@ -49,6 +49,22 @@ const REGISTRY: Record<string, CairnCondition> = {
 		remediation: 'Post the form from the same origin, or check a proxy that strips or rewrites the Origin header.',
 		logEvent: 'guard.rejected',
 	},
+	'email.sender-not-onboarded': {
+		id: 'email.sender-not-onboarded',
+		severity: 'blocker',
+		title: 'Email sending domain is not onboarded',
+		why: 'The from-address domain has no enabled Cloudflare sending subdomain, so env.EMAIL.send has no aligned sender and the magic-link send throws E_SENDER_NOT_VERIFIED. No editor can sign in.',
+		remediation: 'Onboard the sending domain with `wrangler email sending enable <domain>`, then re-deploy. The domain must match branding.from.',
+		logEvent: 'auth.link.send_failed',
+	},
+	'email.send-failed': {
+		id: 'email.send-failed',
+		severity: 'blocker',
+		title: 'Magic-link email send failed',
+		why: 'The magic-link send threw for a reason other than a missing sender onboarding (a delivery error, a binding misconfiguration, or a custom sender failure), so the editor never received a link.',
+		remediation: 'Read the auth.link.send_failed log record (the code and error fields) in Workers Logs, and check the EMAIL binding and the sender configuration.',
+		logEvent: 'auth.link.send_failed',
+	},
 };
 
 /** Resolve a condition by id. Throws on an unknown id, since ids are compile-time constants. */

package/src/lib/email.ts

@@ -2,6 +2,7 @@
 // send_email binding; production passes `cloudflareSend`, which calls env.EMAIL.send
 // (Cloudflare Email Sending, arbitrary recipients).
 import type { AuthEnv } from './auth/types.js';
+import { CairnError } from './diagnostics/index.js';
 
 export type { AuthEnv };
 
@@ -21,7 +22,9 @@ export interface AuthBranding {
   replyTo?: string;
 }
 
-/** The injected send. Production uses `cloudflareSend`; tests pass a sink. */
+/** The injected send. Production uses `cloudflareSend`; tests pass a sink. A thrown error's
+ *  text reaches the structured log (scrubbed and truncated), so a custom sender must not embed
+ *  the message body or the magic link in what it throws. */
 export type SendMagicLink = (env: AuthEnv, message: MagicLinkMessage) => Promise<void>;
 
 /** Escape the five HTML-significant characters. */
@@ -54,3 +57,30 @@ export const cloudflareSend: SendMagicLink = async (env, message) => {
   if (!env.EMAIL) throw new Error('EMAIL binding is not configured');
   await env.EMAIL.send(message);
 };
+
+/**
+ * Read the E_* code a Cloudflare Email Sending binding error carries (E_SENDER_NOT_VERIFIED,
+ * E_DELIVERY_FAILED, and the rest of the set). The structured `code` property is the documented
+ * shape, but it is unproven against the live binding, so a code embedded in the message is read as
+ * a fallback. A custom injected sender that throws a plain Error has neither, so this returns
+ * undefined and the record still logs cleanly.
+ */
+export function errorCode(err: unknown): string | undefined {
+  if (typeof err === 'object' && err !== null && 'code' in err && typeof err.code === 'string') {
+    return err.code;
+  }
+  return String(err).match(/\bE_[A-Z][A-Z_]*\b/)?.[0];
+}
+
+/**
+ * Map a magic-link send failure to its registered diagnostic condition, carrying the original error
+ * as the cause. The not-verified code is the onboarding gap (the ecxc fault); the live binding has
+ * also been observed throwing the bare "not a verified address" string with no code, so that
+ * message maps to the same condition. Everything else is the generic send failure. The caller logs
+ * the conditionId and code, and returns a send_error status.
+ */
+export function emailSendFailure(err: unknown): CairnError {
+  const onboarding =
+    errorCode(err) === 'E_SENDER_NOT_VERIFIED' || String(err).includes('not a verified address');
+  return new CairnError(onboarding ? 'email.sender-not-onboarded' : 'email.send-failed', { cause: err });
+}

package/src/lib/sveltekit/auth-routes.ts

@@ -13,7 +13,7 @@ import {
   sessionCookieName,
 } from '../auth/crypto.js';
 import { findEditor, issueToken, consumeToken, createSession, deleteSession, recentlyIssued } from '../auth/store.js';
-import { buildMagicLinkMessage, cloudflareSend, type AuthBranding, type SendMagicLink } from '../email.js';
+import { buildMagicLinkMessage, cloudflareSend, emailSendFailure, errorCode, type AuthBranding, type SendMagicLink } from '../email.js';
 import { issueCsrfToken } from './csrf.js';
 import { log } from '../log/index.js';
 import type { RequestContext } from './types.js';
@@ -23,15 +23,37 @@ export interface AuthRoutesConfig {
   send?: SendMagicLink;
 }
 
+/**
+ * The request-action result. `status` is the discriminant; `sent` is kept for a site rendering its
+ * own form against `form.sent`, so the field is additive. The neutral and send-ok paths return the
+ * identical `{ status: 'sent', sent: true }`, so the common case never leaks allowlist membership.
+ */
+export type RequestResult =
+  | { status: 'sent'; sent: true }
+  | { status: 'send_error'; sent: false }
+  | { status: 'throttled'; sent: false };
+
+/**
+ * The loggable form of a send failure. The engine's own senders throw clean errors, but `send` is
+ * an injection seam, and a custom sender's thrown error may embed the failed message and with it
+ * the magic link. Scrub any token query value and cap the length, so the documented "records never
+ * carry a token" guarantee holds for the seam too.
+ */
+function scrubSendError(err: unknown): string {
+  return String(err)
+    .replace(/([?&]token=)[^&\s"'<]+/g, '$1[redacted]')
+    .slice(0, 300);
+}
+
 export function createAuthRoutes(config: AuthRoutesConfig) {
   const send = config.send ?? cloudflareSend;
 
   /**
-   * POST /admin/auth/request. Looks the email up in the allowlist; on a match, issues a token
-   * and emails the confirmation link. The response is identical whether or not the email is
-   * allow-listed, so the endpoint never leaks membership.
+   * POST /admin/auth/request. Looks the email up in the allowlist; on a match, issues a token,
+   * emails the confirmation link, and awaits the send so the status reflects its outcome. The
+   * neutral and send-ok responses are identical, so the common case never leaks membership.
    */
-  async function requestAction(event: RequestContext): Promise<{ sent: true }> {
+  async function requestAction(event: RequestContext): Promise<RequestResult> {
     const env = event.platform?.env ?? {};
     const origin = requireOrigin(env);
     const db = requireDb(env);
@@ -43,31 +65,39 @@ export function createAuthRoutes(config: AuthRoutesConfig) {
     log.info('auth.link.requested', { email: email.slice(0, 320) });
 
     const editor = email ? await findEditor(db, email) : null;
-    if (editor) {
-      const now = Date.now();
-      // Per-email cooldown: skip the reissue and send when a token for this email was issued within
-      // the window, so the endpoint cannot flood an editor's inbox. The response is unchanged, so
-      // the non-leak property holds.
-      if (!(await recentlyIssued(db, email, now - SEND_COOLDOWN_MS))) {
-        const token = generateToken();
-        await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
-        log.info('auth.token.minted', { email, expiresAt: now + TOKEN_TTL_MS });
-        const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-        // The token row is the security-critical write the email depends on, so it is awaited. The
-        // send is a post-response side effect, handed to waitUntil so a slow email provider does not
-        // hold the response. An absent waitUntil (local dev, tests) falls back to await. A send
-        // failure is logged so observability survives a backgrounded send.
-        const sending = send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link })).catch(
-          (err) => log.error('auth.link.send_failed', { email, error: String(err) }),
-        );
-        // adapter-cloudflare exposes the ExecutionContext as platform.ctx; platform.context is a
-        // deprecated alias kept as a fallback so an adapter that drops it keeps backgrounding.
-        const ctx = event.platform?.ctx ?? event.platform?.context;
-        if (ctx?.waitUntil) ctx.waitUntil(sending);
-        else await sending;
-      }
+    // Non-editor: byte-identical to the editor send-ok path, so the response body never leaks
+    // membership. Response timing still differs (the editor path awaits the send), the side-channel
+    // the design accepts as strictly weaker than the explicit throttled signal below.
+    if (!editor) return { status: 'sent', sent: true };
+
+    const now = Date.now();
+    // Per-email cooldown: an editor who requested within the window gets the throttled signal rather
+    // than a second email. This reveals editor membership, the deliberate relaxed-non-leak posture.
+    if (await recentlyIssued(db, email, now - SEND_COOLDOWN_MS)) {
+      return { status: 'throttled', sent: false };
+    }
+
+    const token = generateToken();
+    await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
+    log.info('auth.token.minted', { email, expiresAt: now + TOKEN_TTL_MS });
+    const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
+    // The token row is the security-critical write the email depends on, so it is awaited first.
+    // The send is now awaited too (no waitUntil backgrounding), so its outcome drives the response:
+    // confirm the link went out before telling an editor to check their inbox. The cost is one
+    // email-API round trip on the login POST, the right trade for a login flow.
+    try {
+      await send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link }));
+    } catch (err) {
+      // Map the binding failure to its registered condition (carried as a CairnError with the
+      // original as cause), and log the greppable code plus the conditionId so the next onboarding
+      // gap reads straight to its fix. The editor sees only a generic message, never this detail.
+      const failure = emailSendFailure(err);
+      log.error('auth.link.send_failed', { email, error: scrubSendError(err), code: errorCode(err), conditionId: failure.conditionId });
+      // A plain 200 with a status field, not fail(): the result stays one uniform union for the
+      // page, and the failure is already observable through the error-level log record.
+      return { status: 'send_error', sent: false };
     }
-    return { sent: true };
+    return { status: 'sent', sent: true };
   }
 
   /** GET /admin/login. Public. Carries the site name, an optional `?error`, and the CSRF token. */

package/src/lib/sveltekit/index.ts

@@ -1,7 +1,7 @@
 // SvelteKit server logic consumed by site route shims: the guard plus the auth, editor,
 // content, and health route factories and functions.
 export { createAuthGuard, requireSession, requireOwner } from './guard.js';
-export { createAuthRoutes, type AuthRoutesConfig } from './auth-routes.js';
+export { createAuthRoutes, type AuthRoutesConfig, type RequestResult } from './auth-routes.js';
 export { createEditorRoutes } from './editors-routes.js';
 export { createContentRoutes } from './content-routes.js';
 export type {