@glw907/cairn-cms 0.38.0 → 0.41.0

package/dist/sveltekit/content-routes.js

@@ -10,6 +10,8 @@ import { isValidId, slugify, filenameFromId, composeDatedId, slugFromId, renameI
 import { rewriteCairnLink } from '../components/markdown-format.js';
 import { appCredentials } from '../github/credentials.js';
 import { listMarkdown, readRaw, commitFiles } from '../github/repo.js';
+import { branchHeadSha, createBranch, deleteBranch, listBranches } from '../github/branches.js';
+import { PENDING_PREFIX, pendingBranch, parsePendingBranch } from '../content/pending.js';
 import { cachedInstallationToken } from '../github/signing.js';
 import { emptyManifest, manifestEntryFromFile, parseManifest, serializeManifest, upsertEntry, removeEntry, inboundLinks } from '../content/manifest.js';
 import { CommitConflictError } from '../github/types.js';
@@ -31,8 +33,27 @@ function conceptOf(runtime, params) {
 }
 export function createContentRoutes(runtime, deps = {}) {
     const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
-    /** Layout load for every admin page: the nav, the user, the active path, and the resolved theme. */
-    function layoutLoad(event) {
+    /** Main's manifest, parsed. A missing file starts empty (a fresh repo before the first commit).
+     *  Always read from main: pending branches carry no manifest copy. */
+    async function readManifest(token) {
+        const raw = await readRaw(runtime.backend, runtime.manifestPath, token);
+        return raw === null ? emptyManifest() : parseManifest(raw);
+    }
+    /** The pending entry a `cairn/` ref names, or null for a ref the engine must ignore: a
+     *  malformed name, an id that fails the slug rule (entry paths are built from it, so this is
+     *  the path confinement), or a concept this site does not configure. Every ref consumer
+     *  (the layout count, the list view, publish-all) applies this one predicate, so a stray
+     *  hand-pushed ref cannot inflate a count it can never clear or reach a contents read. */
+    function pendingEntryOf(name) {
+        const ref = parsePendingBranch(name);
+        if (!ref || !isValidId(ref.id))
+            return null;
+        const concept = findConcept(runtime.concepts, ref.concept);
+        return concept ? { concept, id: ref.id } : null;
+    }
+    /** Layout load for every admin page: the nav, the user, the active path, the resolved theme,
+     *  and the pending entries behind the topbar's publish-all action. */
+    async function layoutLoad(event) {
         const editor = sessionOf(event);
         const cookieTheme = event.cookies?.get('cairn-admin-theme');
         const theme = cookieTheme === 'cairn-admin-dark' ? 'cairn-admin-dark' : 'cairn-admin';
@@ -40,6 +61,21 @@ export function createContentRoutes(runtime, deps = {}) {
         const collapsedNav = cookieCollapsed
             ? cookieCollapsed.split(',').map((part) => decodeURIComponent(part)).filter(Boolean)
             : [];
+        // Any failure here (the token mint, the network, a non-ok response) degrades to null rather
+        // than failing the whole admin shell or showing a wrong publish-all count.
+        let pendingEntries = null;
+        try {
+            const token = await mintToken(event.platform?.env ?? {});
+            const names = await listBranches(runtime.backend, PENDING_PREFIX, token);
+            pendingEntries = names.flatMap((name) => {
+                const entry = pendingEntryOf(name);
+                return entry ? [{ concept: entry.concept.id, id: entry.id }] : [];
+            });
+        }
+        catch (err) {
+            pendingEntries = null;
+            log.warn('github.unreachable', { scope: 'layout', error: String(err) });
+        }
         return {
             siteName: runtime.siteName,
             user: { displayName: editor.displayName, email: editor.email, role: editor.role },
@@ -50,6 +86,7 @@ export function createContentRoutes(runtime, deps = {}) {
             theme,
             collapsedNav,
             csrf: event.cookies ? issueCsrfToken({ url: event.url, cookies: event.cookies }) : '',
+            pendingEntries,
         };
     }
     /** Redirect /admin to the first concept's list (spec §7.6: land on the first concept). */
@@ -59,27 +96,32 @@ export function createContentRoutes(runtime, deps = {}) {
             throw error(404, 'No content types configured');
         throw redirect(307, `/admin/${first.id}`);
     }
-    /** Read a file's frontmatter for its list row, degrading to the id on any read failure. */
-    async function summarize(file, token) {
+    /** Read a file's frontmatter for its list row, degrading to the id on any read failure. The
+     *  repo defaults to main; a pending entry (edited or branch-only) passes its pending branch. */
+    async function summarize(file, token, status, repo = runtime.backend) {
         try {
-            const raw = await readRaw(runtime.backend, file.path, token);
+            const raw = await readRaw(repo, file.path, token);
             if (raw === null)
-                return { id: file.id, title: file.id, date: null, draft: false };
+                return { id: file.id, title: file.id, date: null, draft: false, status };
             const { frontmatter } = parseMarkdown(raw);
             const title = typeof frontmatter.title === 'string' && frontmatter.title.trim() ? frontmatter.title : file.id;
             const date = dateInputValue(frontmatter.date) || null;
-            return { id: file.id, title, date, draft: frontmatter.draft === true };
+            return { id: file.id, title, date, draft: frontmatter.draft === true, status };
         }
         catch {
-            return { id: file.id, title: file.id, date: null, draft: false };
+            return { id: file.id, title: file.id, date: null, draft: false, status };
         }
     }
-    /** List a concept's entries. A listing failure degrades to an inline error, not a thrown 500. */
+    /** List a concept's entries with their publish status. Main's files carry `edited` when a
+     *  pending ref exists, else `published`; a ref with no main file appends a `new` row read from
+     *  its branch. A listing failure degrades to an inline error, not a thrown 500. */
     async function listLoad(event) {
         sessionOf(event);
         const concept = conceptOf(runtime, event.params);
         const formError = event.url.searchParams.get('error');
-        const base = { conceptId: concept.id, label: concept.label, dated: concept.routing.dated, formError };
+        const publishedAllRaw = event.url.searchParams.get('publishedAll');
+        const publishedAll = publishedAllRaw !== null && /^\d+$/.test(publishedAllRaw) ? Number(publishedAllRaw) : null;
+        const base = { conceptId: concept.id, label: concept.label, dated: concept.routing.dated, formError, publishedAll };
         let token;
         try {
             token = await mintToken(event.platform?.env ?? {});
@@ -88,9 +130,29 @@ export function createContentRoutes(runtime, deps = {}) {
             return { ...base, entries: [], error: 'Could not authenticate with GitHub.' };
         }
         try {
-            const files = await listMarkdown(runtime.backend, concept.dir, token);
-            const entries = await Promise.all(files.map((f) => summarize(f, token)));
-            return { ...base, entries, error: null };
+            const [files, refs] = await Promise.all([
+                listMarkdown(runtime.backend, concept.dir, token),
+                listBranches(runtime.backend, `${PENDING_PREFIX}${concept.id}/`, token),
+            ]);
+            const pendingIds = new Set(refs.flatMap((name) => {
+                const entry = pendingEntryOf(name);
+                return entry && entry.concept.id === concept.id ? [entry.id] : [];
+            }));
+            // An edited row reads branch-first like a new row, so a pending title or draft change
+            // shows in the list instead of reading as a lost save.
+            const entries = await Promise.all(files.map((f) => pendingIds.has(f.id)
+                ? summarize(f, token, 'edited', { ...runtime.backend, branch: pendingBranch(concept.id, f.id) })
+                : summarize(f, token, 'published')));
+            // A ref with no main file is a never-published entry; its row reads from its branch, and
+            // summarize already degrades a failed read to an id-only row.
+            const listed = new Set(files.map((f) => f.id));
+            const newRows = await Promise.all([...pendingIds]
+                .filter((id) => !listed.has(id))
+                .map((id) => summarize({ id, path: `${concept.dir}/${filenameFromId(id)}` }, token, 'new', {
+                ...runtime.backend,
+                branch: pendingBranch(concept.id, id),
+            })));
+            return { ...base, entries: [...entries, ...newRows], error: null };
         }
         catch {
             return { ...base, entries: [], error: 'Could not load this content type from GitHub.' };
@@ -121,6 +183,10 @@ export function createContentRoutes(runtime, deps = {}) {
         const existing = await readRaw(runtime.backend, `${concept.dir}/${filenameFromId(id)}`, token);
         if (existing !== null)
             return bounce('An entry with that slug already exists.');
+        // A pending branch is an entry too (saved but not yet published); refuse to clobber it.
+        if ((await branchHeadSha(runtime.backend, pendingBranch(concept.id, id), token)) !== null) {
+            return bounce('An unpublished entry with that slug already exists.');
+        }
         throw redirect(303, `/admin/${concept.id}/${id}?new=1`);
     }
     /** Coerce parsed frontmatter to the form-ready values the editor inputs expect. */
@@ -149,13 +215,24 @@ export function createContentRoutes(runtime, deps = {}) {
         const isNew = event.url.searchParams.get('new') === '1';
         const token = await mintToken(event.platform?.env ?? {});
         const datePrefix = concept.routing.dated ? concept.datePrefix : null;
-        // The entry file and the manifest are independent reads sharing the token; fetch them together.
-        const [raw, manifestRaw] = await Promise.all([
-            readRaw(runtime.backend, `${concept.dir}/${filenameFromId(id)}`, token),
+        const path = `${concept.dir}/${filenameFromId(id)}`;
+        // A pending entry reads branch-first: the editor shows the unpublished edits. The manifest
+        // (link targets and the inbound-link guard) always reads main, the authoritative copy.
+        // Stage 1 runs the branch probe, the main-path read, and the manifest read concurrently,
+        // so the probe does not serialize ahead of the other two; stage 2 adds the branch read
+        // only when the probe found a branch, with the stage-1 main read serving as the published
+        // signal either way.
+        const branch = pendingBranch(concept.id, id);
+        const [headSha, mainRaw, manifestRaw] = await Promise.all([
+            branchHeadSha(runtime.backend, branch, token),
+            readRaw(runtime.backend, path, token),
             readRaw(runtime.backend, runtime.manifestPath, token),
         ]);
+        const pending = headSha !== null;
+        const raw = pending ? await readRaw({ ...runtime.backend, branch }, path, token) : mainRaw;
         if (raw === null && !isNew)
             throw error(404, 'Entry not found');
+        const published = mainRaw !== null;
         const parsed = raw === null ? { frontmatter: {}, body: '' } : parseMarkdown(raw);
         const title = typeof parsed.frontmatter.title === 'string' && parsed.frontmatter.title.trim() ? parsed.frontmatter.title : id;
         let linkTargets = [];
@@ -187,6 +264,10 @@ export function createContentRoutes(runtime, deps = {}) {
             slug: slugFromId(id, datePrefix),
             linkTargets,
             inboundLinks: inbound,
+            pending,
+            published,
+            publishedFlash: event.url.searchParams.get('published') === '1',
+            discardedFlash: event.url.searchParams.get('discarded') === '1',
         };
     }
     /** Match a commit conflict by class and by name (bundling can alias the class identity). */
@@ -194,25 +275,32 @@ export function createContentRoutes(runtime, deps = {}) {
         return err instanceof CommitConflictError || err?.name === 'CommitConflictError';
     }
     /** Log a failed commit: a conflict is the expected last-writer-wins outcome, so it warns with a
-     *  reason; any other error is unexpected and logs at error with the stringified cause. The caller
-     *  still owns the redirect or rethrow, so control flow stays at the call site. */
-    function logCommitFailed(fields, err) {
+     *  reason; any other error is unexpected and logs at error with the stringified cause. Publish
+     *  failures carry the same shape under their own event name. */
+    function logCommitFailed(fields, err, event = 'commit.failed') {
         if (isConflict(err)) {
-            log.warn('commit.failed', { ...fields, reason: 'conflict' });
+            log.warn(event, { ...fields, reason: 'conflict' });
         }
         else {
-            log.error('commit.failed', { ...fields, error: String(err) });
+            log.error(event, { ...fields, error: String(err) });
         }
     }
-    /** Save an edit: validate, then commit with the session editor as author. Fails safe on 409. */
-    async function saveAction(event) {
-        const editor = sessionOf(event);
-        const concept = conceptOf(runtime, event.params);
-        const id = event.params.id ?? '';
-        // Confine the commit path to the concept dir, built from a validated id (the App token can
-        // write anywhere in the repo). Reject before touching GitHub.
-        if (!isValidId(id))
-            throw error(400, 'Invalid entry id');
+    /** The shared commit catch for the entry actions: log the failure, bounce a conflict back to
+     *  `page` with `message` as the inline error, and rethrow anything else. `query` keeps any extra
+     *  params the bounce must carry (saveAction's `&new=1`). */
+    function commitFailure(fields, err, page, message, opts = {}) {
+        logCommitFailed(fields, err, opts.event);
+        if (isConflict(err)) {
+            throw redirect(303, `${page}?error=${encodeURIComponent(message)}${opts.query ?? ''}`);
+        }
+        throw err;
+    }
+    /** The shared core of save and publish: parse the posted form, validate the frontmatter,
+     *  guard the body's cairn links, ensure the pending branch, and commit the entry file there
+     *  with the session editor as author. Returns the broken-link fail for the page to render,
+     *  or the held state; throws the redirect bounces save has always thrown (invalid
+     *  frontmatter, a branch-commit conflict). Main stays untouched. */
+    async function saveToBranch(event, editor, concept, id) {
         const path = `${concept.dir}/${filenameFromId(id)}`;
         const form = await event.request.formData();
         const body = String(form.get('body') ?? '');
@@ -225,24 +313,19 @@ export function createContentRoutes(runtime, deps = {}) {
         }
         const markdown = serializeMarkdown(result.data, body);
         const token = await mintToken(event.platform?.env ?? {});
-        // Read the committed manifest, upsert this entry's row, and commit content and manifest in one
-        // commit. A missing manifest starts empty (first save on a fresh repo). The build regenerates
-        // and verifies the manifest, so this incremental patch is the cheap request-time path. On a
-        // 422 retry commitFiles re-sends this manifest blob last-writer-wins. A concurrent save can then
-        // leave the committed manifest stale, which the next build rejects via verifyManifest; regenerate
-        // it with npm run cairn:manifest to recover.
-        const manifestRaw = await readRaw(runtime.backend, runtime.manifestPath, token);
-        const manifest = manifestRaw === null ? emptyManifest() : parseManifest(manifestRaw);
+        // Upsert this entry's row into main's manifest in memory, for the link guard here and for
+        // the publish commit. The save commits no manifest change; publish lands the upsert on main.
+        const manifest = await readManifest(token);
         const row = manifestEntryFromFile(concept, { path, raw: markdown });
         const upserted = upsertEntry(manifest, row);
-        const nextManifest = serializeManifest(upserted);
-        // Save guard: resolve the body's cairn links against the manifest with this entry upserted, so a
-        // self-link and a link to any existing target resolves. A link to an absent target hard-blocks
-        // the save (it would red the deploy build and the author would not see it); a link to a draft
-        // target commits with a warning, since it is valid and resolves once the target is published.
+        // Save guard: resolve the body's cairn links against main's manifest with this entry upserted,
+        // so a self-link and a link to any published target resolves. A link to a target absent from
+        // main hard-blocks the save (publishing this entry before its target would red the deploy
+        // build); a link to a draft target commits with a warning, since it is valid and resolves once
+        // the target is published.
         const byKey = new Map(upserted.entries.map((e) => [`${e.concept}/${e.id}`, e]));
         const absent = [];
-        const draft = [];
+        const draftLinks = [];
         for (const ref of extractCairnLinks(body)) {
             // A self-link is valid by construction (the upserted manifest holds this very entry), so
             // skip it before classifying. Mirrors inboundLinks's self-exclusion.
@@ -252,29 +335,182 @@ export function createContentRoutes(runtime, deps = {}) {
             if (!target)
                 absent.push(formatCairnToken(ref));
             else if (target.draft)
-                draft.push(formatCairnToken(ref));
+                draftLinks.push(formatCairnToken(ref));
         }
         if (absent.length) {
             return fail(400, { brokenLinks: absent, body });
         }
+        // Ensure the entry's pending branch exists (cut lazily from main's head on first save), then
+        // commit only the entry file there. Main stays untouched until publish, so the branch differs
+        // from main at exactly this entry's path.
+        const branch = pendingBranch(concept.id, id);
+        if ((await branchHeadSha(runtime.backend, branch, token)) === null) {
+            const mainHead = await branchHeadSha(runtime.backend, runtime.backend.branch, token);
+            if (mainHead === null)
+                throw error(500, 'Cannot read the default branch');
+            await createBranch(runtime.backend, branch, mainHead, token);
+        }
+        const commitFields = { concept: concept.id, id, editor: editor.email, branch };
+        let branchSha;
+        try {
+            branchSha = await commitFiles({ ...runtime.backend, branch }, [{ path, content: markdown }], { message: `Update ${concept.label.toLowerCase()}: ${id}`, author: { name: editor.displayName, email: editor.email } }, token);
+            log.info('commit.succeeded', commitFields);
+        }
+        catch (err) {
+            commitFailure(commitFields, err, `/admin/${concept.id}/${id}`, 'This file changed since you opened it. Reload and reapply your edits.', { query: suffix });
+        }
+        return { path, markdown, branch, branchSha, manifest: upserted, draftLinks, token };
+    }
+    /** Save an edit: validate, then commit to the entry's pending branch with the session editor
+     *  as author. Main and its manifest stay untouched until publish. Fails safe on 409. */
+    async function saveAction(event) {
+        const editor = sessionOf(event);
+        const concept = conceptOf(runtime, event.params);
+        const id = event.params.id ?? '';
+        // Confine the commit path to the concept dir, built from a validated id (the App token can
+        // write anywhere in the repo). Reject before touching GitHub.
+        if (!isValidId(id))
+            throw error(400, 'Invalid entry id');
+        const held = await saveToBranch(event, editor, concept, id);
+        if (!('branchSha' in held))
+            return held;
+        const savedQuery = held.draftLinks.length
+            ? `saved=1&drafts=${encodeURIComponent(held.draftLinks.join(','))}`
+            : 'saved=1';
+        throw redirect(303, `/admin/${concept.id}/${id}?${savedQuery}`);
+    }
+    /** Publish an entry: validate and hold the posted form exactly like save (the branch gets the
+     *  same commit), then copy that markdown to main with the manifest row upserted in one atomic
+     *  commit. Publish-what-you-see: the posted form is the published content, so text typed
+     *  after the last save goes live too, and publish works regardless of prior branch state.
+     *  The branch is deleted only when its head still matches the commit this action made; a
+     *  concurrent save moved it, so the entry stays pending and the next publish picks it up. */
+    async function publishAction(event) {
+        const editor = sessionOf(event);
+        const concept = conceptOf(runtime, event.params);
+        const id = event.params.id ?? '';
+        if (!isValidId(id))
+            throw error(400, 'Invalid entry id');
+        const held = await saveToBranch(event, editor, concept, id);
+        if (!('branchSha' in held))
+            return held;
+        const { path, markdown, branch, branchSha, manifest, token } = held;
         const commitFields = { concept: concept.id, id, editor: editor.email };
         try {
             await commitFiles(runtime.backend, [
                 { path, content: markdown },
-                { path: runtime.manifestPath, content: nextManifest },
-            ], { message: `Update ${concept.label.toLowerCase()}: ${id}`, author: { name: editor.displayName, email: editor.email } }, token);
-            log.info('commit.succeeded', commitFields);
+                { path: runtime.manifestPath, content: serializeManifest(manifest) },
+            ], { message: `Publish ${concept.label.toLowerCase()}: ${id}`, author: { name: editor.displayName, email: editor.email } }, token);
+            log.info('entry.published', { ...commitFields, batch: false });
         }
         catch (err) {
-            logCommitFailed(commitFields, err);
+            // The branch already holds the just-committed edits, so a conflict here loses nothing.
+            commitFailure(commitFields, err, `/admin/${concept.id}/${id}`, 'Your edits are saved. Reload and publish again.', { event: 'publish.failed' });
+        }
+        // Only after the main commit lands, and only when the branch head is still the commit this
+        // action made: a head that moved is a concurrent save, and deleting it would destroy edits.
+        // No log event for the skip; the pending badge is the surface.
+        if ((await branchHeadSha(runtime.backend, branch, token)) === branchSha) {
+            await deleteBranch(runtime.backend, branch, token);
+        }
+        throw redirect(303, `/admin/${concept.id}/${id}?published=1`);
+    }
+    /** Publish every pending entry site-wide: one atomic commit on main carrying each branch's
+     *  entry file plus the manifest with every row upserted, then delete the consumed branches.
+     *  Mounted on the concept list shim, but the topbar posts here from anywhere, so the route's
+     *  concept param is ignored and the redirect lands on the first configured concept. */
+    async function publishAllAction(event) {
+        const editor = sessionOf(event);
+        const first = runtime.concepts[0];
+        if (!first)
+            throw error(404, 'No content types configured');
+        const token = await mintToken(event.platform?.env ?? {});
+        const listPage = `/admin/${first.id}`;
+        // Each cairn/ ref names a pending entry; the shared predicate skips a stray ref rather
+        // than failing the whole batch on it.
+        const names = await listBranches(runtime.backend, PENDING_PREFIX, token);
+        const pending = names.flatMap((name) => {
+            const entry = pendingEntryOf(name);
+            return entry ? [{ ...entry, branch: name, path: `${entry.concept.dir}/${filenameFromId(entry.id)}` }] : [];
+        });
+        // Read every branch in parallel, capturing each head sha BEFORE its file read: the sha
+        // guards the post-publish delete, and probing first fails safe (a save landing between the
+        // probe and the read moves the head past the capture, so the delete is skipped and the
+        // entry stays pending). A ghost ref whose entry file is missing is skipped (discard can
+        // clean it up); it carries nothing to publish.
+        const reads = await Promise.all(pending.map(async (entry) => {
+            const sha = await branchHeadSha(runtime.backend, entry.branch, token);
+            const raw = await readRaw({ ...runtime.backend, branch: entry.branch }, entry.path, token);
+            return { ...entry, sha, raw };
+        }));
+        // Fold main's manifest once over every row, so the batch lands content and index together,
+        // the same shape as a single publish.
+        let next = await readManifest(token);
+        const changes = [];
+        const published = [];
+        for (const entry of reads) {
+            if (entry.raw === null || entry.sha === null)
+                continue;
+            changes.push({ path: entry.path, content: entry.raw });
+            next = upsertEntry(next, manifestEntryFromFile(entry.concept, { path: entry.path, raw: entry.raw }));
+            published.push({ concept: entry.concept.id, id: entry.id, branch: entry.branch, sha: entry.sha });
+        }
+        if (published.length === 0) {
+            const message = 'Nothing to publish. Every entry is already live.';
+            throw redirect(303, `${listPage}?error=${encodeURIComponent(message)}`);
+        }
+        changes.push({ path: runtime.manifestPath, content: serializeManifest(next) });
+        const noun = published.length === 1 ? 'entry' : 'entries';
+        try {
+            await commitFiles(runtime.backend, changes, { message: `Publish ${published.length} ${noun}`, author: { name: editor.displayName, email: editor.email } }, token);
+            for (const entry of published) {
+                log.info('entry.published', { concept: entry.concept, id: entry.id, editor: editor.email, batch: true });
+            }
+        }
+        catch (err) {
+            // One record per entry in the failed batch, so the log names what did not go live.
+            for (const entry of published) {
+                logCommitFailed({ concept: entry.concept, id: entry.id, editor: editor.email }, err, 'publish.failed');
+            }
             if (isConflict(err)) {
-                const message = 'This file changed since you opened it. Reload and reapply your edits.';
-                throw redirect(303, `/admin/${concept.id}/${id}?error=${encodeURIComponent(message)}${suffix}`);
+                const message = 'The site changed while publishing. Reload and try again.';
+                throw redirect(303, `${listPage}?error=${encodeURIComponent(message)}`);
             }
             throw err;
         }
-        const savedQuery = draft.length ? `saved=1&drafts=${encodeURIComponent(draft.join(','))}` : 'saved=1';
-        throw redirect(303, `/admin/${concept.id}/${id}?${savedQuery}`);
+        // Only after the main commit lands: a failure above keeps every branch and its edits. Each
+        // branch deletes only when its head still matches the captured sha; a moved head is a
+        // concurrent save, so the entry stays pending and the next publish picks it up (no log
+        // event for the skip; the pending badge is the surface). A failed delete leaves an
+        // idempotent straggler (re-publishing copies the same content), so one failure does not
+        // abort the remaining deletes.
+        for (const entry of published) {
+            try {
+                if ((await branchHeadSha(runtime.backend, entry.branch, token)) === entry.sha) {
+                    await deleteBranch(runtime.backend, entry.branch, token);
+                }
+            }
+            catch {
+                // The entry is live; the straggler just shows as still pending until the next publish.
+            }
+        }
+        throw redirect(303, `${listPage}?publishedAll=${published.length}`);
+    }
+    /** Discard an entry's pending edits: delete the branch (tolerant of already-gone) and return to
+     *  the edit page when the entry lives on main, else to the list (the entry is gone entirely). */
+    async function discardAction(event) {
+        const editor = sessionOf(event);
+        const concept = conceptOf(runtime, event.params);
+        const id = event.params.id ?? '';
+        if (!isValidId(id))
+            throw error(400, 'Invalid entry id');
+        const token = await mintToken(event.platform?.env ?? {});
+        await deleteBranch(runtime.backend, pendingBranch(concept.id, id), token);
+        log.info('entry.discarded', { concept: concept.id, id, editor: editor.email });
+        const onMain = await readRaw(runtime.backend, `${concept.dir}/${filenameFromId(id)}`, token);
+        if (onMain !== null)
+            throw redirect(303, `/admin/${concept.id}/${id}?discarded=1`);
+        throw redirect(303, `/admin/${concept.id}`);
     }
     /** The shared delete core. Block-until-clean: refuse while inbound links exist (naming them), else
      *  commit the file removal and the manifest patch in one commit. The inbound recheck here is the
@@ -286,12 +522,20 @@ export function createContentRoutes(runtime, deps = {}) {
         const token = await mintToken(event.platform?.env ?? {});
         // An absent manifest degrades the inbound gate to "allow": with no manifest there is nothing to
         // check, and the build's cairn: backstop still catches any dangling token, mirroring saveAction.
-        const manifestRaw = await readRaw(runtime.backend, runtime.manifestPath, token);
-        const manifest = manifestRaw === null ? emptyManifest() : parseManifest(manifestRaw);
+        const manifest = await readManifest(token);
         const inbound = inboundLinks(manifest, concept.id, id);
         if (inbound.length) {
             return fail(409, { inboundLinks: inbound, id });
         }
+        // When the entry was never published (absent from main), the branch delete is the whole
+        // operation; main has nothing to commit, so the only honest log record is the discard of
+        // the pending edits.
+        const onMain = await readRaw(runtime.backend, path, token);
+        if (onMain === null) {
+            await deleteBranch(runtime.backend, pendingBranch(concept.id, id), token);
+            log.info('entry.discarded', { concept: concept.id, id, editor: editor.email });
+            throw redirect(303, `/admin/${concept.id}`);
+        }
         const nextManifest = serializeManifest(removeEntry(manifest, concept.id, id));
         const commitFields = { concept: concept.id, id, editor: editor.email };
         try {
@@ -302,12 +546,17 @@ export function createContentRoutes(runtime, deps = {}) {
             log.info('commit.succeeded', commitFields);
         }
         catch (err) {
-            logCommitFailed(commitFields, err);
-            if (isConflict(err)) {
-                const message = 'This file changed since you opened it. Reload and try again.';
-                throw redirect(303, `/admin/${concept.id}/${id}?error=${encodeURIComponent(message)}`);
-            }
-            throw err;
+            commitFailure(commitFields, err, `/admin/${concept.id}/${id}`, 'This file changed since you opened it. Reload and try again.');
+        }
+        // Cascade to the pending branch only after the removal lands on main, so a commit conflict
+        // keeps the unpublished edits. A straggler ref left by a failure here is idempotent and
+        // recoverable (it lists as a never-published row a discard can clean up), matching
+        // publish's posture, so the entry's deletion still completes.
+        try {
+            await deleteBranch(runtime.backend, pendingBranch(concept.id, id), token);
+        }
+        catch {
+            // The entry is gone from main; the straggler shows as a pending row until discarded.
         }
         throw redirect(303, `/admin/${concept.id}`);
     }
@@ -340,6 +589,12 @@ export function createContentRoutes(runtime, deps = {}) {
         const id = event.params.id ?? '';
         if (!isValidId(id))
             throw error(400, 'Invalid entry id');
+        const token = await mintToken(event.platform?.env ?? {});
+        // Pending edits on the branch are keyed to the old id; renaming underneath them would strand
+        // them, so refuse until the editor publishes or discards.
+        if ((await branchHeadSha(runtime.backend, pendingBranch(concept.id, id), token)) !== null) {
+            return fail(409, { renameError: 'This entry has unpublished edits. Publish or discard them, then rename.' });
+        }
         const form = await event.request.formData();
         const newSlug = String(form.get('slug') ?? '').trim();
         if (!isValidId(newSlug)) {
@@ -355,7 +610,6 @@ export function createContentRoutes(runtime, deps = {}) {
         const newId = renameId(id, newSlug, datePrefix);
         const oldPath = `${concept.dir}/${filenameFromId(id)}`;
         const newPath = `${concept.dir}/${filenameFromId(newId)}`;
-        const token = await mintToken(event.platform?.env ?? {});
         // Collision guard: refuse if a file already exists at the new path. This 409 covers two cases a
         // single readRaw cannot tell apart: a static collision with an existing entry, and a
         // concurrent-rename race where another editor renamed onto this path between load and submit.
@@ -363,13 +617,12 @@ export function createContentRoutes(runtime, deps = {}) {
         if (clobber !== null) {
             return fail(409, { renameError: 'An entry with that slug already exists.' });
         }
-        const [entryRaw, manifestRaw] = await Promise.all([
+        const [entryRaw, manifest] = await Promise.all([
             readRaw(runtime.backend, oldPath, token),
-            readRaw(runtime.backend, runtime.manifestPath, token),
+            readManifest(token),
         ]);
         if (entryRaw === null)
             throw error(404, 'Entry not found');
-        const manifest = manifestRaw === null ? emptyManifest() : parseManifest(manifestRaw);
         const oldHref = formatCairnToken({ concept: concept.id, id });
         const newHref = formatCairnToken({ concept: concept.id, id: newId });
         // The moved file keeps its content, except a self-token rewrite. Re-derive its manifest row from
@@ -402,14 +655,9 @@ export function createContentRoutes(runtime, deps = {}) {
             log.info('commit.succeeded', commitFields);
         }
         catch (err) {
-            logCommitFailed(commitFields, err);
-            if (isConflict(err)) {
-                const message = 'This file changed since you opened it. Reload and try again.';
-                throw redirect(303, `/admin/${concept.id}/${id}?error=${encodeURIComponent(message)}`);
-            }
-            throw err;
+            commitFailure(commitFields, err, `/admin/${concept.id}/${id}`, 'This file changed since you opened it. Reload and try again.');
         }
         throw redirect(303, `/admin/${concept.id}/${newId}?renamed=1`);
     }
-    return { layoutLoad, indexRedirect, listLoad, createAction, editLoad, saveAction, deleteAction, listDeleteAction, renameAction, mintToken };
+    return { layoutLoad, indexRedirect, listLoad, createAction, editLoad, saveAction, publishAction, publishAllAction, discardAction, deleteAction, listDeleteAction, renameAction, mintToken };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.38.0",
+  "version": "0.41.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "sideEffects": [
@@ -26,9 +26,10 @@
     "markdown"
   ],
   "scripts": {
-    "package": "svelte-package && node scripts/build-admin-css.mjs && chmod +x dist/vite/bin.js",
+    "package": "svelte-package && node scripts/build-admin-css.mjs && chmod +x dist/vite/bin.js dist/doctor/bin.js",
     "check:package": "npm run package && publint --strict && attw --pack . --ignore-rules no-resolution cjs-resolves-to-esm internal-resolution-error",
     "check:reference": "npm run package && node scripts/reference-coverage.mjs",
+    "check:readiness": "npm run package && node scripts/check-readiness.mjs",
     "check:docs": "node scripts/docs-links.mjs",
     "check:prose": "node scripts/check-admin-prose.mjs",
     "prepare": "npm run package",
@@ -82,7 +83,8 @@
     "./package.json": "./package.json"
   },
   "bin": {
-    "cairn-manifest": "./dist/vite/bin.js"
+    "cairn-manifest": "./dist/vite/bin.js",
+    "cairn-doctor": "./dist/doctor/bin.js"
   },
   "files": [
     "dist",
@@ -90,7 +92,7 @@
     "CHANGELOG.md"
   ],
   "peerDependencies": {
-    "@sveltejs/kit": "^2",
+    "@sveltejs/kit": "^2.12",
     "svelte": "^5.0.0"
   },
   "dependencies": {
@@ -100,6 +102,7 @@
     "@codemirror/language": "^6.12.3",
     "@codemirror/state": "^6.6.0",
     "@codemirror/view": "^6.43.0",
+    "@lezer/highlight": "^1.2.3",
     "@lucide/svelte": "^1.17.0",
     "@rodrigodagostino/svelte-sortable-list": "^2.1.17",
     "@types/hast": "^3.0.4",
@@ -139,7 +142,7 @@
     "postcss": "^8.5.15",
     "postcss-prefix-selector": "^2.1.1",
     "publint": "^0.3.21",
-    "svelte": "^5.55",
+    "svelte": "^5.56.3",
     "svelte-check": "^4",
     "tailwindcss": "^4.3.0",
     "typescript": "^6.0.3",