@glw907/cairn-cms 0.37.1 → 0.40.0

package/dist/components/markdown-directives.js

@@ -0,0 +1,22 @@
+// Remark-directive detection for the editor's machinery highlighting (spec: directive syntax is
+// styled distinctly so an editor can tell component scaffolding from prose). Pure functions; the
+// CodeMirror decoration plugin wraps them.
+const FENCE = /^\s{0,3}:::+\s*[\w-]*\s*(\{[^}]*\})?\s*$/;
+const LEAF = /^\s{0,3}::[\w-]+(\[[^\]]*\])?(\{[^}]*\})?\s*$/;
+const INLINE = /(?<![:\w]):[\w-]+\[[^\]]*\](\{[^}]*\})?/g;
+/** Classify a whole line as a container fence, a leaf directive, or neither. */
+export function directiveLineKind(line) {
+    if (FENCE.test(line))
+        return 'fence';
+    if (LEAF.test(line))
+        return 'leaf';
+    return null;
+}
+/** Inline directive ranges (`:name[...]{...}`) within a line of text. */
+export function findInlineDirectives(text) {
+    const out = [];
+    for (const m of text.matchAll(INLINE)) {
+        out.push({ from: m.index, to: m.index + m[0].length });
+    }
+    return out;
+}

package/dist/components/markdown-format.d.ts

@@ -1,4 +1,4 @@
-export type FormatKind = 'bold' | 'italic' | 'code' | 'heading' | 'quote' | 'ul' | 'link';
+export type FormatKind = 'bold' | 'italic' | 'code' | 'strike' | 'h2' | 'h3' | 'quote' | 'ul' | 'ol' | 'task' | 'codeblock' | 'hr' | 'table' | 'link';
 export interface FormatResult {
     doc: string;
     from: number;

package/dist/components/markdown-format.js

@@ -8,13 +8,81 @@ import remarkParse from 'remark-parse';
 import remarkGfm from 'remark-gfm';
 import { visit } from 'unist-util-visit';
 import { escapeLinkText } from '../content/links.js';
-const WRAP = { bold: '**', italic: '_', code: '`' };
-const LINE_PREFIX = { heading: '# ', quote: '> ', ul: '- ' };
+const WRAP = { bold: '**', italic: '_', code: '`', strike: '~~' };
+/**
+ * Per-kind line-prefix behavior. `prefix` builds the marker for the line's 0-based index (only ol
+ * varies by line). `exact` matches a line already carrying this kind's own marker; when every
+ * selected line matches, the format toggles off. `strip` matches a competing marker to replace
+ * before prefixing, so h2 on an h3 line swaps the level instead of stacking. Quote and ul keep
+ * their original add-only behavior, so they carry neither regex.
+ */
+const LINE = {
+    h2: { prefix: () => '## ', exact: /^## /, strip: /^#{1,6} / },
+    h3: { prefix: () => '### ', exact: /^### /, strip: /^#{1,6} / },
+    quote: { prefix: () => '> ' },
+    ul: { prefix: () => '- ' },
+    ol: { prefix: (i) => `${i + 1}. `, exact: /^\d+\. /, strip: /^\d+\. / },
+    task: { prefix: () => '- [ ] ', exact: /^- \[[ xX]\] /, strip: /^- \[[ xX]\] / },
+};
+const TABLE_GRID = '| Column 1 | Column 2 |\n| -------- | -------- |\n|          |          |\n|          |          |';
+/** Wrap the selection in `marker`, or unwrap when the markers are already there (inside or just
+ *  outside the selection). The returned range covers the text without its markers either way. */
+function toggleWrap(doc, from, to, marker) {
+    const m = marker.length;
+    const sel = doc.slice(from, to);
+    if (sel.length >= 2 * m && sel.startsWith(marker) && sel.endsWith(marker)) {
+        const inner = sel.slice(m, sel.length - m);
+        return { doc: doc.slice(0, from) + inner + doc.slice(to), from, to: to - 2 * m };
+    }
+    if (from >= m && doc.slice(from - m, from) === marker && doc.slice(to, to + m) === marker) {
+        return { doc: doc.slice(0, from - m) + sel + doc.slice(to + m), from: from - m, to: to - m };
+    }
+    const next = doc.slice(0, from) + marker + sel + marker + doc.slice(to);
+    return { doc: next, from: from + m, to: to + m };
+}
+/** Apply a line-prefix kind to every selected line. When the kind toggles and every line already
+ *  carries its marker, the markers come off; otherwise competing markers are replaced and each
+ *  line gains the kind's prefix. The selection shifts with the first line's edit and stretches
+ *  by the total length change, the same mechanics the original single-prefix version had. */
+function applyLinePrefix(doc, from, to, kind) {
+    const { prefix, exact, strip } = LINE[kind];
+    const lineStart = doc.lastIndexOf('\n', from - 1) + 1; // 0 when the selection is on the first line
+    const lines = doc.slice(lineStart, to).split('\n');
+    const next = exact && lines.every((line) => exact.test(line))
+        ? lines.map((line) => line.replace(exact, ''))
+        : lines.map((line, i) => prefix(i) + (strip ? line.replace(strip, '') : line));
+    const region = next.join('\n');
+    const firstDelta = next[0].length - lines[0].length;
+    const totalDelta = region.length - (to - lineStart);
+    return {
+        doc: doc.slice(0, lineStart) + region + doc.slice(to),
+        from: Math.max(lineStart, from + firstDelta),
+        to: to + totalDelta,
+    };
+}
+/** Fence the selected lines in triple backticks on their own lines, or remove the fences when the
+ *  lines just above and below the selection already are fences. */
+function toggleCodeFence(doc, from, to) {
+    const lineStart = doc.lastIndexOf('\n', from - 1) + 1;
+    const lineEndRaw = doc.indexOf('\n', to);
+    const lineEnd = lineEndRaw === -1 ? doc.length : lineEndRaw;
+    const prevStart = lineStart > 0 ? doc.lastIndexOf('\n', lineStart - 2) + 1 : -1;
+    const prevLine = prevStart >= 0 ? doc.slice(prevStart, lineStart - 1) : null;
+    const nextEndRaw = lineEnd < doc.length ? doc.indexOf('\n', lineEnd + 1) : -1;
+    const nextEnd = nextEndRaw === -1 ? doc.length : nextEndRaw;
+    const nextLine = lineEnd < doc.length ? doc.slice(lineEnd + 1, nextEnd) : null;
+    if (prevLine === '```' && nextLine === '```') {
+        const removedBefore = lineStart - prevStart; // the opening fence line and its newline
+        const next = doc.slice(0, prevStart) + doc.slice(lineStart, lineEnd) + doc.slice(nextEnd);
+        return { doc: next, from: from - removedBefore, to: to - removedBefore };
+    }
+    const open = '```\n';
+    const next = doc.slice(0, lineStart) + open + doc.slice(lineStart, lineEnd) + '\n```' + doc.slice(lineEnd);
+    return { doc: next, from: from + open.length, to: to + open.length };
+}
 export function applyMarkdownFormat(doc, from, to, kind) {
-    if (kind === 'bold' || kind === 'italic' || kind === 'code') {
-        const marker = WRAP[kind];
-        const next = doc.slice(0, from) + marker + doc.slice(from, to) + marker + doc.slice(to);
-        return { doc: next, from: from + marker.length, to: to + marker.length };
+    if (kind === 'bold' || kind === 'italic' || kind === 'code' || kind === 'strike') {
+        return toggleWrap(doc, from, to, WRAP[kind]);
     }
     if (kind === 'link') {
         const text = doc.slice(from, to);
@@ -24,12 +92,23 @@ export function applyMarkdownFormat(doc, from, to, kind) {
         const urlStart = from + lead.length;
         return { doc: doc.slice(0, from) + inserted + doc.slice(to), from: urlStart, to: urlStart + placeholder.length };
     }
-    const prefix = LINE_PREFIX[kind];
-    const lineStart = doc.lastIndexOf('\n', from - 1) + 1; // 0 when the selection is on the first line
-    const region = doc.slice(lineStart, to);
-    const prefixed = region.replace(/^/gm, prefix);
-    const added = prefixed.length - region.length;
-    return { doc: doc.slice(0, lineStart) + prefixed + doc.slice(to), from: from + prefix.length, to: to + added };
+    if (kind === 'codeblock')
+        return toggleCodeFence(doc, from, to);
+    if (kind === 'hr') {
+        const inserted = '\n\n---\n\n';
+        const at = from + inserted.length;
+        return { doc: doc.slice(0, from) + inserted + doc.slice(to), from: at, to: at };
+    }
+    if (kind === 'table') {
+        const inserted = `\n\n${TABLE_GRID}\n\n`;
+        const cellStart = from + inserted.indexOf('Column 1');
+        return {
+            doc: doc.slice(0, from) + inserted + doc.slice(to),
+            from: cellStart,
+            to: cellStart + 'Column 1'.length,
+        };
+    }
+    return applyLinePrefix(doc, from, to, kind);
 }
 /**
  * Insert an inline markdown link at the selection. With a non-empty selection the selected text

package/dist/content/pending.d.ts

@@ -0,0 +1,9 @@
+/** Every pending branch sits under this prefix; one matching-refs call lists them all. */
+export declare const PENDING_PREFIX = "cairn/";
+/** The branch name holding an entry's pending edits. */
+export declare function pendingBranch(concept: string, id: string): string;
+/** Parse a branch name or fully qualified ref back to its entry, or null for any other ref. */
+export declare function parsePendingBranch(ref: string): {
+    concept: string;
+    id: string;
+} | null;

package/dist/content/pending.js

@@ -0,0 +1,24 @@
+// The pending-branch codec (publish-workflow spec): a pending entry lives on
+// `cairn/<conceptKey>/<id>`, and the ref's existence is the only pending state. Concept ids and
+// entry ids are slug-safe, so the name needs no escaping; the parser is the codec's inverse.
+/** Every pending branch sits under this prefix; one matching-refs call lists them all. */
+export const PENDING_PREFIX = 'cairn/';
+/** The branch name holding an entry's pending edits. */
+export function pendingBranch(concept, id) {
+    return `${PENDING_PREFIX}${concept}/${id}`;
+}
+/** Parse a branch name or fully qualified ref back to its entry, or null for any other ref. */
+export function parsePendingBranch(ref) {
+    const name = ref.startsWith('refs/heads/') ? ref.slice('refs/heads/'.length) : ref;
+    if (!name.startsWith(PENDING_PREFIX))
+        return null;
+    const rest = name.slice(PENDING_PREFIX.length);
+    const slash = rest.indexOf('/');
+    if (slash <= 0)
+        return null;
+    const concept = rest.slice(0, slash);
+    const id = rest.slice(slash + 1);
+    if (!id || id.includes('/'))
+        return null;
+    return { concept, id };
+}

package/dist/diagnostics/conditions.js

@@ -23,6 +23,22 @@ const REGISTRY = {
         remediation: 'Post the form from the same origin, or check a proxy that strips or rewrites the Origin header.',
         logEvent: 'guard.rejected',
     },
+    'email.sender-not-onboarded': {
+        id: 'email.sender-not-onboarded',
+        severity: 'blocker',
+        title: 'Email sending domain is not onboarded',
+        why: 'The from-address domain has no enabled Cloudflare sending subdomain, so env.EMAIL.send has no aligned sender and the magic-link send throws E_SENDER_NOT_VERIFIED. No editor can sign in.',
+        remediation: 'Onboard the sending domain with `wrangler email sending enable <domain>`, then re-deploy. The domain must match branding.from.',
+        logEvent: 'auth.link.send_failed',
+    },
+    'email.send-failed': {
+        id: 'email.send-failed',
+        severity: 'blocker',
+        title: 'Magic-link email send failed',
+        why: 'The magic-link send threw for a reason other than a missing sender onboarding (a delivery error, a binding misconfiguration, or a custom sender failure), so the editor never received a link.',
+        remediation: 'Read the auth.link.send_failed log record (the code and error fields) in Workers Logs, and check the EMAIL binding and the sender configuration.',
+        logEvent: 'auth.link.send_failed',
+    },
 };
 /** Resolve a condition by id. Throws on an unknown id, since ids are compile-time constants. */
 export function condition(id) {

package/dist/email.d.ts

@@ -1,4 +1,5 @@
 import type { AuthEnv } from './auth/types.js';
+import { CairnError } from './diagnostics/index.js';
 export type { AuthEnv };
 /** The message a built magic-link email carries. */
 export interface MagicLinkMessage {
@@ -14,7 +15,9 @@ export interface AuthBranding {
     from: string;
     replyTo?: string;
 }
-/** The injected send. Production uses `cloudflareSend`; tests pass a sink. */
+/** The injected send. Production uses `cloudflareSend`; tests pass a sink. A thrown error's
+ *  text reaches the structured log (scrubbed and truncated), so a custom sender must not embed
+ *  the message body or the magic link in what it throws. */
 export type SendMagicLink = (env: AuthEnv, message: MagicLinkMessage) => Promise<void>;
 /** Build the confirmation email. The link is the only action; the copy stays plain. */
 export declare function buildMagicLinkMessage(input: {
@@ -24,3 +27,19 @@ export declare function buildMagicLinkMessage(input: {
 }): MagicLinkMessage;
 /** The production send: Cloudflare Email Sending through the EMAIL binding. */
 export declare const cloudflareSend: SendMagicLink;
+/**
+ * Read the E_* code a Cloudflare Email Sending binding error carries (E_SENDER_NOT_VERIFIED,
+ * E_DELIVERY_FAILED, and the rest of the set). The structured `code` property is the documented
+ * shape, but it is unproven against the live binding, so a code embedded in the message is read as
+ * a fallback. A custom injected sender that throws a plain Error has neither, so this returns
+ * undefined and the record still logs cleanly.
+ */
+export declare function errorCode(err: unknown): string | undefined;
+/**
+ * Map a magic-link send failure to its registered diagnostic condition, carrying the original error
+ * as the cause. The not-verified code is the onboarding gap (the ecxc fault); the live binding has
+ * also been observed throwing the bare "not a verified address" string with no code, so that
+ * message maps to the same condition. Everything else is the generic send failure. The caller logs
+ * the conditionId and code, and returns a send_error status.
+ */
+export declare function emailSendFailure(err: unknown): CairnError;

package/dist/email.js

@@ -1,3 +1,4 @@
+import { CairnError } from './diagnostics/index.js';
 /** Escape the five HTML-significant characters. */
 function escapeHtml(value) {
     return value
@@ -23,3 +24,27 @@ export const cloudflareSend = async (env, message) => {
         throw new Error('EMAIL binding is not configured');
     await env.EMAIL.send(message);
 };
+/**
+ * Read the E_* code a Cloudflare Email Sending binding error carries (E_SENDER_NOT_VERIFIED,
+ * E_DELIVERY_FAILED, and the rest of the set). The structured `code` property is the documented
+ * shape, but it is unproven against the live binding, so a code embedded in the message is read as
+ * a fallback. A custom injected sender that throws a plain Error has neither, so this returns
+ * undefined and the record still logs cleanly.
+ */
+export function errorCode(err) {
+    if (typeof err === 'object' && err !== null && 'code' in err && typeof err.code === 'string') {
+        return err.code;
+    }
+    return String(err).match(/\bE_[A-Z][A-Z_]*\b/)?.[0];
+}
+/**
+ * Map a magic-link send failure to its registered diagnostic condition, carrying the original error
+ * as the cause. The not-verified code is the onboarding gap (the ecxc fault); the live binding has
+ * also been observed throwing the bare "not a verified address" string with no code, so that
+ * message maps to the same condition. Everything else is the generic send failure. The caller logs
+ * the conditionId and code, and returns a send_error status.
+ */
+export function emailSendFailure(err) {
+    const onboarding = errorCode(err) === 'E_SENDER_NOT_VERIFIED' || String(err).includes('not a verified address');
+    return new CairnError(onboarding ? 'email.sender-not-onboarded' : 'email.send-failed', { cause: err });
+}

package/dist/github/branches.d.ts

@@ -0,0 +1,11 @@
+import type { RepoRef } from './types.js';
+/** The head commit sha of a branch, or null when the branch does not exist. */
+export declare function branchHeadSha(repo: RepoRef, branch: string, token: string): Promise<string | null>;
+/** Create `branch` pointing at `fromSha`. Throws on any failure including an existing ref. */
+export declare function createBranch(repo: RepoRef, branch: string, fromSha: string, token: string): Promise<void>;
+/** Delete `branch`. A 404 (already gone) is success: the desired state holds. */
+export declare function deleteBranch(repo: RepoRef, branch: string, token: string): Promise<void>;
+/** Branch names under `prefix`, sorted. The matching-refs API paginates at 30 by default, so a
+ *  site with 31+ pending entries would silently truncate; request the 100-per-page maximum and
+ *  follow the Link rel="next" chain until exhausted. */
+export declare function listBranches(repo: RepoRef, prefix: string, token: string): Promise<string[]>;

package/dist/github/branches.js

@@ -0,0 +1,75 @@
+const API = 'https://api.github.com';
+function headers(token) {
+    return {
+        Accept: 'application/vnd.github+json',
+        'User-Agent': 'cairn-cms',
+        'X-GitHub-Api-Version': '2022-11-28',
+        Authorization: `Bearer ${token}`,
+        'Content-Type': 'application/json',
+    };
+}
+function gitUrl(repo, suffix) {
+    return `${API}/repos/${repo.owner}/${repo.repo}/git/${suffix}`;
+}
+/** The head commit sha of a branch, or null when the branch does not exist. */
+export async function branchHeadSha(repo, branch, token) {
+    const res = await fetch(gitUrl(repo, `ref/heads/${encodeURIComponent(branch)}`), { headers: headers(token) });
+    // The 404 probe is a hot path (every editLoad); drain the body so the connection frees
+    // immediately instead of pinning one of workerd's six until GC.
+    if (res.status === 404) {
+        await res.body?.cancel();
+        return null;
+    }
+    if (!res.ok)
+        throw new Error(`GitHub ref ${branch} failed: ${res.status} ${await res.text()}`);
+    return (await res.json()).object.sha;
+}
+/** Create `branch` pointing at `fromSha`. Throws on any failure including an existing ref. */
+export async function createBranch(repo, branch, fromSha, token) {
+    const res = await fetch(gitUrl(repo, 'refs'), {
+        method: 'POST',
+        headers: headers(token),
+        body: JSON.stringify({ ref: `refs/heads/${branch}`, sha: fromSha }),
+    });
+    if (!res.ok)
+        throw new Error(`GitHub branch create ${branch} failed: ${res.status} ${await res.text()}`);
+    await res.body?.cancel();
+}
+/** Delete `branch`. A 404 (already gone) is success: the desired state holds. */
+export async function deleteBranch(repo, branch, token) {
+    const res = await fetch(gitUrl(repo, `refs/heads/${encodeURIComponent(branch)}`), {
+        method: 'DELETE',
+        headers: headers(token),
+    });
+    if (!res.ok && res.status !== 404) {
+        throw new Error(`GitHub branch delete ${branch} failed: ${res.status} ${await res.text()}`);
+    }
+    await res.body?.cancel();
+}
+/** The rel="next" URL from a GitHub Link header, or null on the last page. */
+function nextPageUrl(link) {
+    if (!link)
+        return null;
+    for (const part of link.split(',')) {
+        const match = part.match(/<([^>]+)>\s*;\s*rel="next"/);
+        if (match)
+            return match[1];
+    }
+    return null;
+}
+/** Branch names under `prefix`, sorted. The matching-refs API paginates at 30 by default, so a
+ *  site with 31+ pending entries would silently truncate; request the 100-per-page maximum and
+ *  follow the Link rel="next" chain until exhausted. */
+export async function listBranches(repo, prefix, token) {
+    const names = [];
+    let url = `${gitUrl(repo, `matching-refs/heads/${prefix}`)}?per_page=100`;
+    while (url) {
+        const res = await fetch(url, { headers: headers(token) });
+        if (!res.ok)
+            throw new Error(`GitHub matching-refs ${prefix} failed: ${res.status} ${await res.text()}`);
+        const refs = (await res.json());
+        names.push(...refs.map((r) => r.ref.replace(/^refs\/heads\//, '')));
+        url = nextPageUrl(res.headers.get('Link'));
+    }
+    return names;
+}

package/dist/log/events.d.ts

@@ -1 +1 @@
-export type CairnLogEvent = 'auth.link.requested' | 'auth.link.send_failed' | 'auth.token.minted' | 'auth.token.confirmed' | 'auth.session.created' | 'auth.session.destroyed' | 'commit.succeeded' | 'commit.failed' | 'guard.rejected';
+export type CairnLogEvent = 'auth.link.requested' | 'auth.link.send_failed' | 'auth.token.minted' | 'auth.token.confirmed' | 'auth.session.created' | 'auth.session.destroyed' | 'commit.succeeded' | 'commit.failed' | 'entry.published' | 'entry.discarded' | 'publish.failed' | 'guard.rejected';

package/dist/sveltekit/auth-routes.d.ts

@@ -4,15 +4,28 @@ export interface AuthRoutesConfig {
     branding: AuthBranding;
     send?: SendMagicLink;
 }
+/**
+ * The request-action result. `status` is the discriminant; `sent` is kept for a site rendering its
+ * own form against `form.sent`, so the field is additive. The neutral and send-ok paths return the
+ * identical `{ status: 'sent', sent: true }`, so the common case never leaks allowlist membership.
+ */
+export type RequestResult = {
+    status: 'sent';
+    sent: true;
+} | {
+    status: 'send_error';
+    sent: false;
+} | {
+    status: 'throttled';
+    sent: false;
+};
 export declare function createAuthRoutes(config: AuthRoutesConfig): {
     loginLoad: (event: RequestContext) => {
         siteName: string;
         error: string | null;
         csrf: string;
     };
-    requestAction: (event: RequestContext) => Promise<{
-        sent: true;
-    }>;
+    requestAction: (event: RequestContext) => Promise<RequestResult>;
     confirmLoad: (event: RequestContext) => {
         token: string;
         siteName: string;

package/dist/sveltekit/auth-routes.js

@@ -5,15 +5,26 @@ import { redirect } from '@sveltejs/kit';
 import { requireOrigin, requireDb } from '../env.js';
 import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, SEND_COOLDOWN_MS, sessionCookieName, } from '../auth/crypto.js';
 import { findEditor, issueToken, consumeToken, createSession, deleteSession, recentlyIssued } from '../auth/store.js';
-import { buildMagicLinkMessage, cloudflareSend } from '../email.js';
+import { buildMagicLinkMessage, cloudflareSend, emailSendFailure, errorCode } from '../email.js';
 import { issueCsrfToken } from './csrf.js';
 import { log } from '../log/index.js';
+/**
+ * The loggable form of a send failure. The engine's own senders throw clean errors, but `send` is
+ * an injection seam, and a custom sender's thrown error may embed the failed message and with it
+ * the magic link. Scrub any token query value and cap the length, so the documented "records never
+ * carry a token" guarantee holds for the seam too.
+ */
+function scrubSendError(err) {
+    return String(err)
+        .replace(/([?&]token=)[^&\s"'<]+/g, '$1[redacted]')
+        .slice(0, 300);
+}
 export function createAuthRoutes(config) {
     const send = config.send ?? cloudflareSend;
     /**
-     * POST /admin/auth/request. Looks the email up in the allowlist; on a match, issues a token
-     * and emails the confirmation link. The response is identical whether or not the email is
-     * allow-listed, so the endpoint never leaks membership.
+     * POST /admin/auth/request. Looks the email up in the allowlist; on a match, issues a token,
+     * emails the confirmation link, and awaits the send so the status reflects its outcome. The
+     * neutral and send-ok responses are identical, so the common case never leaks membership.
      */
     async function requestAction(event) {
         const env = event.platform?.env ?? {};
@@ -26,31 +37,39 @@ export function createAuthRoutes(config) {
         // fits well under this; only a junk payload is truncated.
         log.info('auth.link.requested', { email: email.slice(0, 320) });
         const editor = email ? await findEditor(db, email) : null;
-        if (editor) {
-            const now = Date.now();
-            // Per-email cooldown: skip the reissue and send when a token for this email was issued within
-            // the window, so the endpoint cannot flood an editor's inbox. The response is unchanged, so
-            // the non-leak property holds.
-            if (!(await recentlyIssued(db, email, now - SEND_COOLDOWN_MS))) {
-                const token = generateToken();
-                await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
-                log.info('auth.token.minted', { email, expiresAt: now + TOKEN_TTL_MS });
-                const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-                // The token row is the security-critical write the email depends on, so it is awaited. The
-                // send is a post-response side effect, handed to waitUntil so a slow email provider does not
-                // hold the response. An absent waitUntil (local dev, tests) falls back to await. A send
-                // failure is logged so observability survives a backgrounded send.
-                const sending = send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link })).catch((err) => log.error('auth.link.send_failed', { email, error: String(err) }));
-                // adapter-cloudflare exposes the ExecutionContext as platform.ctx; platform.context is a
-                // deprecated alias kept as a fallback so an adapter that drops it keeps backgrounding.
-                const ctx = event.platform?.ctx ?? event.platform?.context;
-                if (ctx?.waitUntil)
-                    ctx.waitUntil(sending);
-                else
-                    await sending;
-            }
+        // Non-editor: byte-identical to the editor send-ok path, so the response body never leaks
+        // membership. Response timing still differs (the editor path awaits the send), the side-channel
+        // the design accepts as strictly weaker than the explicit throttled signal below.
+        if (!editor)
+            return { status: 'sent', sent: true };
+        const now = Date.now();
+        // Per-email cooldown: an editor who requested within the window gets the throttled signal rather
+        // than a second email. This reveals editor membership, the deliberate relaxed-non-leak posture.
+        if (await recentlyIssued(db, email, now - SEND_COOLDOWN_MS)) {
+            return { status: 'throttled', sent: false };
+        }
+        const token = generateToken();
+        await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
+        log.info('auth.token.minted', { email, expiresAt: now + TOKEN_TTL_MS });
+        const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
+        // The token row is the security-critical write the email depends on, so it is awaited first.
+        // The send is now awaited too (no waitUntil backgrounding), so its outcome drives the response:
+        // confirm the link went out before telling an editor to check their inbox. The cost is one
+        // email-API round trip on the login POST, the right trade for a login flow.
+        try {
+            await send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link }));
+        }
+        catch (err) {
+            // Map the binding failure to its registered condition (carried as a CairnError with the
+            // original as cause), and log the greppable code plus the conditionId so the next onboarding
+            // gap reads straight to its fix. The editor sees only a generic message, never this detail.
+            const failure = emailSendFailure(err);
+            log.error('auth.link.send_failed', { email, error: scrubSendError(err), code: errorCode(err), conditionId: failure.conditionId });
+            // A plain 200 with a status field, not fail(): the result stays one uniform union for the
+            // page, and the failure is already observable through the error-level log record.
+            return { status: 'send_error', sent: false };
         }
-        return { sent: true };
+        return { status: 'sent', sent: true };
     }
     /** GET /admin/login. Public. Carries the site name, an optional `?error`, and the CSRF token. */
     function loginLoad(event) {

package/dist/sveltekit/content-routes.d.ts

@@ -29,6 +29,12 @@ export interface LayoutData {
     collapsedNav: string[];
     /** The session's CSRF double-submit token, rendered as a hidden field in every admin form. */
     csrf: string;
+    /** Every entry with unpublished edits (a `cairn/` ref), for the topbar's publish-all action.
+     *  Null when GitHub is unreachable, so the topbar hides the action rather than lying. */
+    pendingEntries: {
+        concept: string;
+        id: string;
+    }[] | null;
 }
 /** One row in a concept's list view. */
 export interface EntrySummary {
@@ -36,6 +42,8 @@ export interface EntrySummary {
     title: string;
     date: string | null;
     draft: boolean;
+    /** Publish state derived from the ref set: live as-is, live with pending edits, or branch-only. */
+    status: 'published' | 'edited' | 'new';
 }
 /** The concept list view's data. */
 export interface ListData {
@@ -48,6 +56,8 @@ export interface ListData {
     error: string | null;
     /** A create-form bounce error read from `?error`. */
     formError: string | null;
+    /** The entry count from a publish-all redirect (`?publishedAll=`), for the list page's flash. */
+    publishedAll: number | null;
 }
 /** The editor's data. `frontmatter` holds form-ready values (dates already `YYYY-MM-DD`). */
 export interface EditData {
@@ -69,6 +79,14 @@ export interface EditData {
     linkTargets: LinkTarget[];
     /** The entries that link to this one, for the delete guard. Empty when nothing links here. */
     inboundLinks: InboundLink[];
+    /** True when the entry has a pending branch, so the body above came from that branch. */
+    pending: boolean;
+    /** True when the entry file exists on the default branch (the live site shows it). */
+    published: boolean;
+    /** True after a publish redirect (`?published=1`), for the confirmation strip. */
+    publishedFlash: boolean;
+    /** True after a discard redirect (`?discarded=1`), for the confirmation strip. */
+    discardedFlash: boolean;
 }
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
 export interface ContentEvent {
@@ -91,12 +109,15 @@ export interface ContentRoutesDeps {
     mintToken?: (env: GithubKeyEnv) => Promise<string>;
 }
 export declare function createContentRoutes(runtime: CairnRuntime, deps?: ContentRoutesDeps): {
-    layoutLoad: (event: ContentEvent) => LayoutData;
+    layoutLoad: (event: ContentEvent) => Promise<LayoutData>;
     indexRedirect: () => never;
     listLoad: (event: ContentEvent) => Promise<ListData>;
     createAction: (event: ContentEvent) => Promise<never>;
     editLoad: (event: ContentEvent) => Promise<EditData>;
     saveAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
+    publishAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
+    publishAllAction: (event: ContentEvent) => Promise<never>;
+    discardAction: (event: ContentEvent) => Promise<never>;
     deleteAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     listDeleteAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     renameAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;