@glw907/cairn-cms 0.38.0 → 0.41.0

package/dist/components/link-completion.js

@@ -1,5 +1,8 @@
-import { syntaxTree } from '@codemirror/language';
 import { formatCairnToken, escapeLinkText } from '../content/links.js';
+// EditPage imports this module statically, so a static @codemirror value import here would pull
+// CodeMirror into a consumer's server bundle. syntaxTree resolves lazily inside the source
+// instead (a CompletionSource may return a Promise), cached after the first completion.
+let langMod = null;
 /** The known concepts in display order; an unlisted concept sorts after these under its own name. */
 const CONCEPT_SECTIONS = {
     pages: { name: 'Pages', rank: 0 },
@@ -30,7 +33,7 @@ export function linkCompletions(targets, query) {
  *  whole `[[query` with the chosen link, and sets filter:false because linkCompletions already
  *  filtered by the query (CodeMirror would otherwise re-filter against the literal `[[query`). */
 export function cairnLinkCompletionSource(targets) {
-    return (context) => {
+    return async (context) => {
         const line = context.state.doc.lineAt(context.pos);
         const before = context.state.sliceDoc(line.from, context.pos);
         const trigger = matchCairnTrigger(before);
@@ -38,7 +41,11 @@ export function cairnLinkCompletionSource(targets) {
             return null;
         // Skip a [[ inside a fenced or inline code node: a cairn link there would be literal text, and
         // the build resolver does not look inside code. The node name carries "Code" for both forms.
-        const node = syntaxTree(context.state).resolveInner(context.pos, -1);
+        langMod ??= await import('@codemirror/language');
+        // The first completion awaits the import above, so the request may already be stale here.
+        if (context.aborted)
+            return null;
+        const node = langMod.syntaxTree(context.state).resolveInner(context.pos, -1);
         for (let n = node; n; n = n.parent) {
             if (/Code/.test(n.name))
                 return null;

package/dist/components/markdown-directives.d.ts

@@ -0,0 +1,7 @@
+/** Classify a whole line as a container fence, a leaf directive, or neither. */
+export declare function directiveLineKind(line: string): 'fence' | 'leaf' | null;
+/** Inline directive ranges (`:name[...]{...}`) within a line of text. */
+export declare function findInlineDirectives(text: string): {
+    from: number;
+    to: number;
+}[];

package/dist/components/markdown-directives.js

@@ -0,0 +1,22 @@
+// Remark-directive detection for the editor's machinery highlighting (spec: directive syntax is
+// styled distinctly so an editor can tell component scaffolding from prose). Pure functions; the
+// CodeMirror decoration plugin wraps them.
+const FENCE = /^\s{0,3}:::+\s*[\w-]*\s*(\{[^}]*\})?\s*$/;
+const LEAF = /^\s{0,3}::[\w-]+(\[[^\]]*\])?(\{[^}]*\})?\s*$/;
+const INLINE = /(?<![:\w]):[\w-]+\[[^\]]*\](\{[^}]*\})?/g;
+/** Classify a whole line as a container fence, a leaf directive, or neither. */
+export function directiveLineKind(line) {
+    if (FENCE.test(line))
+        return 'fence';
+    if (LEAF.test(line))
+        return 'leaf';
+    return null;
+}
+/** Inline directive ranges (`:name[...]{...}`) within a line of text. */
+export function findInlineDirectives(text) {
+    const out = [];
+    for (const m of text.matchAll(INLINE)) {
+        out.push({ from: m.index, to: m.index + m[0].length });
+    }
+    return out;
+}

package/dist/components/markdown-format.d.ts

@@ -1,4 +1,4 @@
-export type FormatKind = 'bold' | 'italic' | 'code' | 'heading' | 'quote' | 'ul' | 'link';
+export type FormatKind = 'bold' | 'italic' | 'code' | 'strike' | 'h2' | 'h3' | 'quote' | 'ul' | 'ol' | 'task' | 'codeblock' | 'hr' | 'table' | 'link';
 export interface FormatResult {
     doc: string;
     from: number;

package/dist/components/markdown-format.js

@@ -8,13 +8,81 @@ import remarkParse from 'remark-parse';
 import remarkGfm from 'remark-gfm';
 import { visit } from 'unist-util-visit';
 import { escapeLinkText } from '../content/links.js';
-const WRAP = { bold: '**', italic: '_', code: '`' };
-const LINE_PREFIX = { heading: '# ', quote: '> ', ul: '- ' };
+const WRAP = { bold: '**', italic: '_', code: '`', strike: '~~' };
+/**
+ * Per-kind line-prefix behavior. `prefix` builds the marker for the line's 0-based index (only ol
+ * varies by line). `exact` matches a line already carrying this kind's own marker; when every
+ * selected line matches, the format toggles off. `strip` matches a competing marker to replace
+ * before prefixing, so h2 on an h3 line swaps the level instead of stacking. Quote and ul keep
+ * their original add-only behavior, so they carry neither regex.
+ */
+const LINE = {
+    h2: { prefix: () => '## ', exact: /^## /, strip: /^#{1,6} / },
+    h3: { prefix: () => '### ', exact: /^### /, strip: /^#{1,6} / },
+    quote: { prefix: () => '> ' },
+    ul: { prefix: () => '- ' },
+    ol: { prefix: (i) => `${i + 1}. `, exact: /^\d+\. /, strip: /^\d+\. / },
+    task: { prefix: () => '- [ ] ', exact: /^- \[[ xX]\] /, strip: /^- \[[ xX]\] / },
+};
+const TABLE_GRID = '| Column 1 | Column 2 |\n| -------- | -------- |\n|          |          |\n|          |          |';
+/** Wrap the selection in `marker`, or unwrap when the markers are already there (inside or just
+ *  outside the selection). The returned range covers the text without its markers either way. */
+function toggleWrap(doc, from, to, marker) {
+    const m = marker.length;
+    const sel = doc.slice(from, to);
+    if (sel.length >= 2 * m && sel.startsWith(marker) && sel.endsWith(marker)) {
+        const inner = sel.slice(m, sel.length - m);
+        return { doc: doc.slice(0, from) + inner + doc.slice(to), from, to: to - 2 * m };
+    }
+    if (from >= m && doc.slice(from - m, from) === marker && doc.slice(to, to + m) === marker) {
+        return { doc: doc.slice(0, from - m) + sel + doc.slice(to + m), from: from - m, to: to - m };
+    }
+    const next = doc.slice(0, from) + marker + sel + marker + doc.slice(to);
+    return { doc: next, from: from + m, to: to + m };
+}
+/** Apply a line-prefix kind to every selected line. When the kind toggles and every line already
+ *  carries its marker, the markers come off; otherwise competing markers are replaced and each
+ *  line gains the kind's prefix. The selection shifts with the first line's edit and stretches
+ *  by the total length change, the same mechanics the original single-prefix version had. */
+function applyLinePrefix(doc, from, to, kind) {
+    const { prefix, exact, strip } = LINE[kind];
+    const lineStart = doc.lastIndexOf('\n', from - 1) + 1; // 0 when the selection is on the first line
+    const lines = doc.slice(lineStart, to).split('\n');
+    const next = exact && lines.every((line) => exact.test(line))
+        ? lines.map((line) => line.replace(exact, ''))
+        : lines.map((line, i) => prefix(i) + (strip ? line.replace(strip, '') : line));
+    const region = next.join('\n');
+    const firstDelta = next[0].length - lines[0].length;
+    const totalDelta = region.length - (to - lineStart);
+    return {
+        doc: doc.slice(0, lineStart) + region + doc.slice(to),
+        from: Math.max(lineStart, from + firstDelta),
+        to: to + totalDelta,
+    };
+}
+/** Fence the selected lines in triple backticks on their own lines, or remove the fences when the
+ *  lines just above and below the selection already are fences. */
+function toggleCodeFence(doc, from, to) {
+    const lineStart = doc.lastIndexOf('\n', from - 1) + 1;
+    const lineEndRaw = doc.indexOf('\n', to);
+    const lineEnd = lineEndRaw === -1 ? doc.length : lineEndRaw;
+    const prevStart = lineStart > 0 ? doc.lastIndexOf('\n', lineStart - 2) + 1 : -1;
+    const prevLine = prevStart >= 0 ? doc.slice(prevStart, lineStart - 1) : null;
+    const nextEndRaw = lineEnd < doc.length ? doc.indexOf('\n', lineEnd + 1) : -1;
+    const nextEnd = nextEndRaw === -1 ? doc.length : nextEndRaw;
+    const nextLine = lineEnd < doc.length ? doc.slice(lineEnd + 1, nextEnd) : null;
+    if (prevLine === '```' && nextLine === '```') {
+        const removedBefore = lineStart - prevStart; // the opening fence line and its newline
+        const next = doc.slice(0, prevStart) + doc.slice(lineStart, lineEnd) + doc.slice(nextEnd);
+        return { doc: next, from: from - removedBefore, to: to - removedBefore };
+    }
+    const open = '```\n';
+    const next = doc.slice(0, lineStart) + open + doc.slice(lineStart, lineEnd) + '\n```' + doc.slice(lineEnd);
+    return { doc: next, from: from + open.length, to: to + open.length };
+}
 export function applyMarkdownFormat(doc, from, to, kind) {
-    if (kind === 'bold' || kind === 'italic' || kind === 'code') {
-        const marker = WRAP[kind];
-        const next = doc.slice(0, from) + marker + doc.slice(from, to) + marker + doc.slice(to);
-        return { doc: next, from: from + marker.length, to: to + marker.length };
+    if (kind === 'bold' || kind === 'italic' || kind === 'code' || kind === 'strike') {
+        return toggleWrap(doc, from, to, WRAP[kind]);
     }
     if (kind === 'link') {
         const text = doc.slice(from, to);
@@ -24,12 +92,23 @@ export function applyMarkdownFormat(doc, from, to, kind) {
         const urlStart = from + lead.length;
         return { doc: doc.slice(0, from) + inserted + doc.slice(to), from: urlStart, to: urlStart + placeholder.length };
     }
-    const prefix = LINE_PREFIX[kind];
-    const lineStart = doc.lastIndexOf('\n', from - 1) + 1; // 0 when the selection is on the first line
-    const region = doc.slice(lineStart, to);
-    const prefixed = region.replace(/^/gm, prefix);
-    const added = prefixed.length - region.length;
-    return { doc: doc.slice(0, lineStart) + prefixed + doc.slice(to), from: from + prefix.length, to: to + added };
+    if (kind === 'codeblock')
+        return toggleCodeFence(doc, from, to);
+    if (kind === 'hr') {
+        const inserted = '\n\n---\n\n';
+        const at = from + inserted.length;
+        return { doc: doc.slice(0, from) + inserted + doc.slice(to), from: at, to: at };
+    }
+    if (kind === 'table') {
+        const inserted = `\n\n${TABLE_GRID}\n\n`;
+        const cellStart = from + inserted.indexOf('Column 1');
+        return {
+            doc: doc.slice(0, from) + inserted + doc.slice(to),
+            from: cellStart,
+            to: cellStart + 'Column 1'.length,
+        };
+    }
+    return applyLinePrefix(doc, from, to, kind);
 }
 /**
  * Insert an inline markdown link at the selection. With a non-empty selection the selected text

package/dist/content/pending.d.ts

@@ -0,0 +1,9 @@
+/** Every pending branch sits under this prefix; one matching-refs call lists them all. */
+export declare const PENDING_PREFIX = "cairn/";
+/** The branch name holding an entry's pending edits. */
+export declare function pendingBranch(concept: string, id: string): string;
+/** Parse a branch name or fully qualified ref back to its entry, or null for any other ref. */
+export declare function parsePendingBranch(ref: string): {
+    concept: string;
+    id: string;
+} | null;

package/dist/content/pending.js

@@ -0,0 +1,24 @@
+// The pending-branch codec (publish-workflow spec): a pending entry lives on
+// `cairn/<conceptKey>/<id>`, and the ref's existence is the only pending state. Concept ids and
+// entry ids are slug-safe, so the name needs no escaping; the parser is the codec's inverse.
+/** Every pending branch sits under this prefix; one matching-refs call lists them all. */
+export const PENDING_PREFIX = 'cairn/';
+/** The branch name holding an entry's pending edits. */
+export function pendingBranch(concept, id) {
+    return `${PENDING_PREFIX}${concept}/${id}`;
+}
+/** Parse a branch name or fully qualified ref back to its entry, or null for any other ref. */
+export function parsePendingBranch(ref) {
+    const name = ref.startsWith('refs/heads/') ? ref.slice('refs/heads/'.length) : ref;
+    if (!name.startsWith(PENDING_PREFIX))
+        return null;
+    const rest = name.slice(PENDING_PREFIX.length);
+    const slash = rest.indexOf('/');
+    if (slash <= 0)
+        return null;
+    const concept = rest.slice(0, slash);
+    const id = rest.slice(slash + 1);
+    if (!id || id.includes('/'))
+        return null;
+    return { concept, id };
+}

package/dist/diagnostics/conditions.d.ts

@@ -10,11 +10,18 @@ export interface CairnCondition {
     why: string;
     /** The fix, often a command. */
     remediation: string;
-    /** Anchor into the readiness checklist doc, filled in when that doc lands (Pass 3). */
+    /**
+     * The condition's section in the readiness checklist, written as
+     * 'cloudflare-readiness.md#<heading-slug>' so a doc can link it relative to docs/guides/.
+     * The check:readiness gate parses the part after '#' and asserts the heading exists; two
+     * conditions may share a section. Every entry carries one unless the gate's allowlist
+     * excuses it.
+     */
     docsAnchor?: string;
     /** The log vocabulary event this condition correlates with, if any. */
     logEvent?: CairnLogEvent;
 }
+export declare const REGISTRY: Record<string, CairnCondition>;
 /** Resolve a condition by id. Throws on an unknown id, since ids are compile-time constants. */
 export declare function condition(id: string): CairnCondition;
 /** Every registered condition, for the checklist generator and coverage tests. */

package/dist/diagnostics/conditions.js

@@ -1,10 +1,12 @@
-const REGISTRY = {
+// Exported for the freeze test only; resolve entries through condition() everywhere else.
+export const REGISTRY = {
     'edge.https-not-forced': {
         id: 'edge.https-not-forced',
         severity: 'blocker',
         title: 'Always Use HTTPS is off',
         why: 'The JS-free admin sign-in posts a form, and the framework CSRF guard rejects a form POST whose origin scheme does not match, so an admin reached over http hits an opaque 403.',
         remediation: 'Turn on Always Use HTTPS for the zone under SSL/TLS, Edge Certificates, and keep HSTS on.',
+        docsAnchor: 'cloudflare-readiness.md#force-https-at-the-edge',
         logEvent: 'guard.rejected',
     },
     'auth.csrf-token-invalid': {
@@ -13,6 +15,7 @@ const REGISTRY = {
         title: 'Admin CSRF token check failed',
         why: 'An admin form POST carried no valid __Host-cairn_csrf double-submit token, usually a stale tab or blocked cookies.',
         remediation: 'Open the sign-in page fresh, allow cookies for the site, and request a new link.',
+        docsAnchor: 'cloudflare-readiness.md#admin-csrf-token-rejected',
         logEvent: 'guard.rejected',
     },
     'auth.csrf-origin-mismatch': {
@@ -21,6 +24,7 @@ const REGISTRY = {
         title: 'Non-admin form Origin rejected',
         why: "A non-admin unsafe form POST carried an Origin that did not match the site, so cairn's restored framework Origin check rejected it.",
         remediation: 'Post the form from the same origin, or check a proxy that strips or rewrites the Origin header.',
+        docsAnchor: 'cloudflare-readiness.md#non-admin-origin-rejected',
         logEvent: 'guard.rejected',
     },
     'email.sender-not-onboarded': {
@@ -29,6 +33,7 @@ const REGISTRY = {
         title: 'Email sending domain is not onboarded',
         why: 'The from-address domain has no enabled Cloudflare sending subdomain, so env.EMAIL.send has no aligned sender and the magic-link send throws E_SENDER_NOT_VERIFIED. No editor can sign in.',
         remediation: 'Onboard the sending domain with `wrangler email sending enable <domain>`, then re-deploy. The domain must match branding.from.',
+        docsAnchor: 'cloudflare-readiness.md#onboard-the-sending-domain',
         logEvent: 'auth.link.send_failed',
     },
     'email.send-failed': {
@@ -37,9 +42,71 @@ const REGISTRY = {
         title: 'Magic-link email send failed',
         why: 'The magic-link send threw for a reason other than a missing sender onboarding (a delivery error, a binding misconfiguration, or a custom sender failure), so the editor never received a link.',
         remediation: 'Read the auth.link.send_failed log record (the code and error fields) in Workers Logs, and check the EMAIL binding and the sender configuration.',
+        docsAnchor: 'cloudflare-readiness.md#onboard-the-sending-domain',
         logEvent: 'auth.link.send_failed',
     },
+    'config.bindings-missing': {
+        id: 'config.bindings-missing',
+        severity: 'blocker',
+        title: 'Wrangler bindings are missing',
+        why: 'The wrangler config declares no send_email binding named EMAIL or no D1 binding named AUTH_DB, so the magic-link send or the session store has nothing to call and no editor can sign in.',
+        remediation: 'Declare the send_email binding as EMAIL and the d1_databases binding as AUTH_DB in wrangler.jsonc (or wrangler.toml), then re-deploy.',
+        docsAnchor: 'cloudflare-readiness.md#deploy-the-worker-with-its-bindings',
+    },
+    'config.observability-off': {
+        id: 'config.observability-off',
+        severity: 'warning',
+        title: 'Workers Logs has no sink',
+        why: 'observability.enabled is not true in the wrangler config, so the structured log records go nowhere and a runtime failure leaves nothing to read.',
+        remediation: 'Set observability.enabled to true in wrangler.jsonc, then re-deploy.',
+        docsAnchor: 'cloudflare-readiness.md#turn-on-observability',
+    },
+    'config.csrf-disable-missing': {
+        id: 'config.csrf-disable-missing',
+        severity: 'warning',
+        title: 'Framework CSRF check is not handed off',
+        why: "The CSRF authority is not handed to cairn cleanly. Either svelte.config.js does not carry csrf: { checkOrigin: false }, so SvelteKit's own Origin check runs ahead of cairn's guard and rejects an admin form POST that arrives without an Origin header, or the disable is present with no cairn guard wired in src/hooks.server.ts, which leaves the site with no CSRF protection at all.",
+        remediation: "Set csrf: { checkOrigin: false } in svelte.config.js and wire createAuthGuard into src/hooks.server.ts; cairn's guard owns the Origin and double-submit token checks.",
+        docsAnchor: 'cloudflare-readiness.md#hand-cairn-the-csrf-authority',
+    },
+    'config.site-config-invalid': {
+        id: 'config.site-config-invalid',
+        severity: 'blocker',
+        title: 'Site config does not validate',
+        why: 'site.config.yaml fails to parse or fails the URL-policy validation, so the build and the admin cannot resolve the content concepts.',
+        remediation: 'Correct site.config.yaml; the parse or validation error names the failing field or URL-policy rule.',
+        docsAnchor: 'cloudflare-readiness.md#validate-the-site-config',
+    },
+    'edge.hsts-off': {
+        id: 'edge.hsts-off',
+        severity: 'warning',
+        title: 'HSTS is off',
+        why: 'The zone sends no Strict-Transport-Security header with a meaningful max-age, so browsers do not pin https and a later http visit can still hit the admin guard rejection.',
+        remediation: 'Turn on HSTS for the zone under SSL/TLS, Edge Certificates, with a max-age of at least six months.',
+        docsAnchor: 'cloudflare-readiness.md#turn-on-hsts',
+    },
+    'auth.store-unreachable': {
+        id: 'auth.store-unreachable',
+        severity: 'blocker',
+        title: 'Auth store is unreachable',
+        why: 'The AUTH_DB D1 database is missing, lacks the auth schema, or holds no owner row, so no magic-link token can be minted and nobody can sign in.',
+        remediation: 'Create the database, apply the auth schema with `wrangler d1 execute <db> --remote --file ./migrations/0000_auth.sql`, seed the owner row, and check the AUTH_DB binding id in wrangler.jsonc.',
+        docsAnchor: 'cloudflare-readiness.md#provision-the-auth-store',
+    },
+    'github.app-unreachable': {
+        id: 'github.app-unreachable',
+        severity: 'blocker',
+        title: 'GitHub App is unreachable',
+        why: 'The App key fails to parse, the App fails to authenticate, the installation token fails to mint, or the repository refuses a read, so saves and publishes cannot commit.',
+        remediation: 'Check GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, and GITHUB_APP_PRIVATE_KEY_B64 against the App settings, and confirm the App is installed on the repository.',
+        docsAnchor: 'cloudflare-readiness.md#install-the-github-app',
+        logEvent: 'github.unreachable',
+    },
 };
+// The registry is shared identity, never working state; freeze every entry and the map itself.
+for (const entry of Object.values(REGISTRY))
+    Object.freeze(entry);
+Object.freeze(REGISTRY);
 /** Resolve a condition by id. Throws on an unknown id, since ids are compile-time constants. */
 export function condition(id) {
     const found = REGISTRY[id];

package/dist/doctor/bin.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/doctor/bin.js

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+// cairn-doctor: the environment preflight. A thin shell over index.ts (where the unit tests
+// reach the logic): parse the flags, assemble the context with the real fetch and filesystem,
+// run the default registry plus the opt-in live send, print the report. Bad flags go to
+// stderr with exit 2; a failed check exits 1; a clean or all-skip run exits 0. The codes go
+// through process.exitCode, never process.exit, so a piped stdout flushes the whole report
+// before the process ends.
+import { readFile } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import { liveSendCheck } from './check-send.js';
+import { contextFromEnv, defaultChecks, formatReport, parseArgs, runDoctor } from './index.js';
+async function main() {
+    let args;
+    try {
+        args = parseArgs(process.argv.slice(2));
+    }
+    catch (err) {
+        console.error(err instanceof Error ? err.message : String(err));
+        process.exitCode = 2;
+        return;
+    }
+    const cwd = process.cwd();
+    const ctx = {
+        ...contextFromEnv(process.env, args, cwd),
+        fetch: globalThis.fetch,
+        readFile: async (relPath) => {
+            try {
+                return await readFile(resolve(cwd, relPath), 'utf8');
+            }
+            catch (err) {
+                if (err.code === 'ENOENT')
+                    return null;
+                throw err;
+            }
+        },
+    };
+    const checks = defaultChecks();
+    if (args.sendTest)
+        checks.push(liveSendCheck(args.sendTest));
+    const { results, failed } = await runDoctor(checks, ctx);
+    console.log(formatReport(results));
+    process.exitCode = failed > 0 ? 1 : 0;
+}
+await main();

package/dist/doctor/check-send.d.ts

@@ -0,0 +1,3 @@
+import type { DoctorCheck } from './types.js';
+/** Build the live-send check for one recipient address. */
+export declare function liveSendCheck(to: string): DoctorCheck;

package/dist/doctor/check-send.js

@@ -0,0 +1,43 @@
+// The doctor's opt-in live send (--send-test): one real message through the Email Sending
+// REST API, since the Worker EMAIL binding is unreachable from a CLI. A factory rather than
+// a check constant, so the check exists only when the bin receives an address; no default
+// registry carries it.
+//
+// Endpoint and payload verified against the Cloudflare API reference, 2026-06-11:
+//   POST /accounts/{account_id}/email/sending/send with { from, to, subject, text },
+//   where from and to take a plain address string.
+//   https://developers.cloudflare.com/api/resources/email_sending/
+import { fail, pass } from './types.js';
+import { cfPost, NO_ACCOUNT, NO_FROM } from './cloudflare-api.js';
+// Enough of an error body to act on without flooding the one-line report.
+const EXCERPT_MAX = 200;
+/** Build the live-send check for one recipient address. */
+export function liveSendCheck(to) {
+    return {
+        id: 'email.live-send',
+        conditionId: 'email.send-failed',
+        title: 'Live test send',
+        async run(ctx) {
+            if (!ctx.cfToken || !ctx.cfAccountId)
+                return NO_ACCOUNT;
+            if (!ctx.from)
+                return NO_FROM;
+            try {
+                const res = await cfPost(ctx, `/accounts/${ctx.cfAccountId}/email/sending/send`, {
+                    from: ctx.from,
+                    to,
+                    subject: 'cairn doctor test send',
+                    text: 'This is a cairn doctor test send. Receiving it proves the sending path.',
+                });
+                if (!res.ok) {
+                    const excerpt = (await res.text()).slice(0, EXCERPT_MAX);
+                    return fail(`send returned ${res.status}: ${excerpt}`);
+                }
+                return pass(`sent to ${to}; check the inbox`);
+            }
+            catch (err) {
+                return fail(String(err));
+            }
+        },
+    };
+}

package/dist/doctor/checks-cloudflare.d.ts

@@ -0,0 +1,5 @@
+import type { DoctorCheck } from './types.js';
+export declare const emailSenderOnboarded: DoctorCheck;
+export declare const edgeHttpsForced: DoctorCheck;
+export declare const edgeHsts: DoctorCheck;
+export declare const authStore: DoctorCheck;