@glw907/cairn-cms 0.4.0 → 0.5.0

package/README.md

@@ -2,18 +2,18 @@
 
 An embedded, **magic-link**, GitHub-committing CMS for SvelteKit + Cloudflare sites.
 Non-technical authors log in by email (no GitHub account, no password), edit **raw
-markdown** in a [Carta](https://github.com/BearToCode/carta) editor, and save — which
+markdown** in a [Carta](https://github.com/BearToCode/carta) editor, and save. Each save
 commits to `main` via a **GitHub App** (committer = `cairn-cms[bot]`, author = the editor)
 and auto-deploys.
 
 It is **design-agnostic**: each consumer site supplies an adapter (collections, slug
 convention, frontmatter schema, and its own `renderPreview(md)`), so the same engine drives
-sites with completely different markdown pipelines — e.g. [ecnordic.ski](https://ecnordic.ski)
-(remark→rehype directive pipeline) and [907.life](https://907.life) (plain `remark-html`).
+sites with completely different markdown pipelines (e.g. [ecnordic.ski](https://ecnordic.ski)
+(remark→rehype directive pipeline) and [907.life](https://907.life) (plain `remark-html`)).
 
 ## Status
 
-**`0.4.x` — auth on [better-auth](https://better-auth.com); API not yet frozen.** The core was
+**`0.4.x`: auth on [better-auth](https://better-auth.com); API not yet frozen.** The core was
 built *inside ecnordic.ski first* (the richer proving ground) with the cairn-core ↔ site-adapter
 seams designed in from day one, then extracted into this package and validated on a second design
 (907.life). Editor auth runs on **better-auth (Cloudflare D1 + magic-link)** behind a scanner-safe

package/dist/adapter.d.ts

@@ -1,5 +1,6 @@
 import type { PreviewPlugins } from './carta';
 import type { RepoRef } from './github';
+import type { ComponentRegistry } from './render';
 interface FieldBase {
     /** Frontmatter key and form input name. */
     name: string;
@@ -44,13 +45,21 @@ export interface CairnCollection {
 export interface CairnAdapter {
     /** Branding + magic-link email copy. */
     siteName: string;
-    /** From: address for magic-link email — a domain-authenticated sender. */
+    /** From: address for magic-link email (must be a domain-authenticated sender). */
     sender: string;
     /** The repository the admin reads content from and commits to. */
     backend: RepoRef;
     /** Site plugin set for the Carta preview (parity with the live render). */
     preview: PreviewPlugins;
     collections: CairnCollection[];
+    /**
+     * The site's component registry: the single declaration of its directive
+     * components (R10a). Rendering parity already flows through `preview`; this
+     * exposes the same registry so the editor's insert-component palette can read
+     * `registry.defs`. Optional: a site with no rich components (e.g. 907.life) may
+     * omit it or supply an empty registry.
+     */
+    registry?: ComponentRegistry;
 }
 /** Look up a collection by its route segment, or undefined if the segment is unknown. */
 export declare function findCollection(adapter: CairnAdapter, type: string): CairnCollection | undefined;

package/dist/adapter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/lib/adapter.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAExC,UAAU,SAAS;IACjB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,IAAI,EAAE,SAAS,CAAC;CACjB;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,2FAA2F;IAC3F,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,aAAa,GACb,YAAY,GACZ,SAAS,GACT,aAAa,CAAC;AAElB,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;IACZ,6CAA6C;IAC7C,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CACjE;AAED,MAAM,WAAW,YAAY;IAC3B,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,0EAA0E;IAC1E,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,eAAe,EAAE,CAAC;CAChC;AAED,yFAAyF;AACzF,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAE/F;AAED,0FAA0F;AAC1F,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,eAAe,EAC3B,IAAI,EAAE,QAAQ,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA0BzB"}
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/lib/adapter.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAElD,UAAU,SAAS;IACjB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,IAAI,EAAE,SAAS,CAAC;CACjB;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,2FAA2F;IAC3F,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,aAAa,GACb,YAAY,GACZ,SAAS,GACT,aAAa,CAAC;AAElB,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;IACZ,6CAA6C;IAC7C,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CACjE;AAED,MAAM,WAAW,YAAY;IAC3B,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,yFAAyF;AACzF,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAE/F;AAED,0FAA0F;AAC1F,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,eAAe,EAC3B,IAAI,EAAE,QAAQ,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA0BzB"}

package/dist/auth/config.d.ts

@@ -17,16 +17,16 @@ export interface AuthBranding {
     /** The `From:` address used when sending magic-link emails. */
     sender: string;
 }
-/** The drizzle adapter result `betterAuth` consumes — the same provider/schema everywhere. */
+/** The drizzle adapter result `betterAuth` consumes (same provider/schema everywhere). */
 type DrizzleDb = Parameters<typeof drizzleAdapter>[0];
 /**
  * The shared better-auth config. Kept separate from `createAuth` so the test harness can run
  * the EXACT plugin set (allowlist semantics, expiry, POST-confirm send) over an in-memory
- * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist —
+ * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist:
  * magic-link never auto-creates, so the only way in is the owner-gated admin `createUser`
  * (see auth/admins.ts). `adminRoles:['owner']` lets owners (not the default `admin` role)
  * drive the admin API. Tokens are stored hashed and consumed atomically on first verify
- * (better-auth GHSA-hc7v-rggr-4hvx) — single-use by construction (C1).
+ * (better-auth GHSA-hc7v-rggr-4hvx), single-use by construction (C1).
  */
 export declare function buildAuth(opts: {
     database: DrizzleDb;
@@ -185,7 +185,7 @@ export declare function buildAuth(opts: {
                                 userId: string;
                                 expiresAt: Date;
                                 token: string;
-                                ipAddress? /** The `From:` address used when sending magic-link emails. */: string | null | undefined;
+                                ipAddress?: string | null | undefined;
                                 userAgent?: string | null | undefined;
                             } & Record<string, unknown>, ctx: import("better-auth").GenericEndpointContext | null): Promise<void>;
                         };
@@ -956,8 +956,8 @@ export declare function buildAuth(opts: {
                     $Infer: {
                         body: {
                             permissions: {
-                                readonly user?: ("create" | "list" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "delete" | "set-password" | "get" | "update")[] | undefined;
-                                readonly session?: ("list" | "delete" | "revoke")[] | undefined;
+                                readonly user?: ("delete" | "list" | "create" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "set-password" | "get" | "update")[] | undefined;
+                                readonly session?: ("delete" | "list" | "revoke")[] | undefined;
                             };
                         } & {
                             userId?: string | undefined;
@@ -1217,7 +1217,7 @@ export declare function createAuth(env: AuthEnv, branding: AuthBranding): import
                                 userId: string;
                                 expiresAt: Date;
                                 token: string;
-                                ipAddress? /** The `From:` address used when sending magic-link emails. */: string | null | undefined;
+                                ipAddress?: string | null | undefined;
                                 userAgent?: string | null | undefined;
                             } & Record<string, unknown>, ctx: import("better-auth").GenericEndpointContext | null): Promise<void>;
                         };
@@ -1988,8 +1988,8 @@ export declare function createAuth(env: AuthEnv, branding: AuthBranding): import
                     $Infer: {
                         body: {
                             permissions: {
-                                readonly user?: ("create" | "list" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "delete" | "set-password" | "get" | "update")[] | undefined;
-                                readonly session?: ("list" | "delete" | "revoke")[] | undefined;
+                                readonly user?: ("delete" | "list" | "create" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "set-password" | "get" | "update")[] | undefined;
+                                readonly session?: ("delete" | "list" | "revoke")[] | undefined;
                             };
                         } & {
                             userId?: string | undefined;

package/dist/auth/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/auth/config.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAK9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AAU3D,2FAA2F;AAC3F,MAAM,WAAW,OAAO;IACtB,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yEAAyE;IACzE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4FAA4F;IAC5F,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAED,qFAAqF;AACrF,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,8FAA8F;AAC9F,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;AAEtD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAmD8R,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5F/d,CAAC;;;;;;;;;yCAUtE,CADC;;;;;;;;;;;;;;;yCAWD,CADD,CAAC,+DAA+D;yCAAZ,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2B5C,CAAC;qCACc,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgC6B,CAAC;qCAErC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAW02E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA1B70hB;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAkBgO,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5F/d,CAAC;;;;;;;;;yCAUtE,CADC;;;;;;;;;;;;;;;yCAWD,CADD,CAAC,+DAA+D;yCAAZ,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2B5C,CAAC;qCACc,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgC6B,CAAC;qCAErC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAW02E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAH70hB;AAED,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/auth/config.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAK9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AAU3D,2FAA2F;AAC3F,MAAM,WAAW,OAAO;IACtB,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yEAAyE;IACzE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4FAA4F;IAC5F,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAED,qFAAqF;AACrF,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,0FAA0F;AAC1F,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;AAEtD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAmD0S,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5Fxe,CAAC;;;;;;;;;yCASpE,CAAC;;;;;;;;;;;;;;;yCAUF,CAAA;yCAAoD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2BtC,CAAC;qCAEf,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgCJ,CAAF;qCAEE,CAAD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAUu4E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA1Bz1hB;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAkB4O,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5Fxe,CAAC;;;;;;;;;yCASpE,CAAC;;;;;;;;;;;;;;;yCAUF,CAAA;yCAAoD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2BtC,CAAC;qCAEf,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgCJ,CAAF;qCAEE,CAAD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAUu4E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAHz1hB;AAED,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC"}

package/dist/auth/config.js

@@ -1,5 +1,5 @@
 // cairn-core: the better-auth instance. Auth is engine code (engine-fat rule), so the whole
-// config — Drizzle/D1 adapter, magic-link (POST-confirm-shaped send), admin roles — lives here.
+// config lives here: Drizzle/D1 adapter, magic-link (POST-confirm-shaped send), admin roles.
 // Instantiated PER REQUEST in hooks.server.ts (the D1 binding is request-scoped); the factory
 // is cheap (no I/O at construction).
 import { betterAuth } from 'better-auth';
@@ -12,18 +12,18 @@ import { sendMagicLink } from '../email';
 import * as schema from './schema';
 // Two-tier roles on the admin plugin's access-control system: `owner` holds every admin
 // statement (manage editors, revoke sessions); `editor` holds none (content-only). `adminRoles`
-// must name a role defined here, so owner — not the plugin's built-in `admin` — is the gate.
+// must name a role defined here, so owner (not the plugin's built-in `admin`) is the gate.
 const ac = createAccessControl(defaultStatements);
 const owner = ac.newRole(defaultStatements);
 const editor = ac.newRole({});
 /**
  * The shared better-auth config. Kept separate from `createAuth` so the test harness can run
  * the EXACT plugin set (allowlist semantics, expiry, POST-confirm send) over an in-memory
- * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist —
+ * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist:
  * magic-link never auto-creates, so the only way in is the owner-gated admin `createUser`
  * (see auth/admins.ts). `adminRoles:['owner']` lets owners (not the default `admin` role)
  * drive the admin API. Tokens are stored hashed and consumed atomically on first verify
- * (better-auth GHSA-hc7v-rggr-4hvx) — single-use by construction (C1).
+ * (better-auth GHSA-hc7v-rggr-4hvx), single-use by construction (C1).
  */
 export function buildAuth(opts) {
     return betterAuth({
@@ -40,7 +40,7 @@ export function buildAuth(opts) {
                 sendMagicLink: async ({ email, token }, ctx) => {
                     // Allowlist gate: better-auth always fires this callback (even for unknown emails, to
                     // avoid enumeration) and only blocks user creation at verify. So gate the actual send
-                    // here — never email a non-editor. The login UI shows neutral copy either way, so this
+                    // here. Never email a non-editor. The login UI shows neutral copy either way, so this
                     // leaks nothing; it just stops strangers receiving a dead link.
                     const existing = await ctx?.context.internalAdapter.findUserByEmail(email);
                     if (!existing?.user)

package/dist/auth/guard.d.ts

@@ -1,5 +1,5 @@
 import type { Auth } from './config';
-/** The session shape the whole admin reads — layout, guards, content fns, manage-editors. */
+/** The session shape the whole admin reads: layout, guards, content fns, manage-editors. */
 export interface CairnUser {
     id: string;
     email: string;

package/dist/auth/guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/auth/guard.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAErC,6FAA6F;AAC7F,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC1B;AAED,gEAAgE;AAChE,wBAAsB,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAKzF;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAGhE;AAED,KAAK,YAAY,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AAE3E;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,CAa1E;AAED,4FAA4F;AAC5F,wBAAsB,OAAO,CAAC,KAAK,EAAE;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAQpG"}
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/auth/guard.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAErC,4FAA4F;AAC5F,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC1B;AAED,gEAAgE;AAChE,wBAAsB,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAKzF;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAGhE;AAED,KAAK,YAAY,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AAE3E;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,CAa1E;AAED,4FAA4F;AAC5F,wBAAsB,OAAO,CAAC,KAAK,EAAE;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAQpG"}

package/dist/auth/guard.js

@@ -1,6 +1,6 @@
 // cairn-core: server-side auth helpers the site route shims delegate to. Each takes the
-// SvelteKit event (typed structurally, so the package never depends on a site's generated
-// `App.*` ambient types) plus the per-request `Auth` from `locals`.
+// SvelteKit event, typed structurally so the package never depends on a site's generated
+// `App.*` ambient types, plus the per-request `Auth` from `locals`.
 import { redirect } from '@sveltejs/kit';
 /** Read the better-auth session into a cairn user (or null). */
 export async function loadSession(auth, request) {

package/dist/carta.d.ts

@@ -18,7 +18,7 @@ interface PreviewTransformer {
  * so this ordering reproduces render.ts exactly. Pure (no Carta) so it is unit-testable.
  */
 export declare function previewTransformers({ remarkPlugins, rehypePlugins }: PreviewPlugins): PreviewTransformer[];
-/** Minimal Options subset we populate — avoids importing carta-md (Svelte re-exports). */
+/** Minimal Options subset we populate (avoids importing carta-md, which re-exports Svelte components). */
 interface PreviewCartaOptions {
     sanitizer: false;
     rehypeOptions: {

package/dist/carta.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"carta.d.ts","sourceRoot":"","sources":["../src/lib/carta.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEpD,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,aAAa,EAAE,SAAS,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,SAAS,EAAE,CAAC;CAC5B;AAED,UAAU,kBAAkB;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC1B,SAAS,EAAE,CAAC,GAAG,EAAE;QAAE,SAAS,EAAE,SAAS,CAAA;KAAE,KAAK,IAAI,CAAC;CACpD;AAYD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,EAAE,cAAc,GAAG,kBAAkB,EAAE,CAE1G;AAED,0FAA0F;AAC1F,UAAU,mBAAmB;IAC3B,SAAS,EAAE,KAAK,CAAC;IACjB,aAAa,EAAE;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/C,UAAU,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;KAAE,CAAC,CAAC;CAC3D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,mBAAmB,CAMhF"}
+{"version":3,"file":"carta.d.ts","sourceRoot":"","sources":["../src/lib/carta.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEpD,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,aAAa,EAAE,SAAS,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,SAAS,EAAE,CAAC;CAC5B;AAED,UAAU,kBAAkB;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC1B,SAAS,EAAE,CAAC,GAAG,EAAE;QAAE,SAAS,EAAE,SAAS,CAAA;KAAE,KAAK,IAAI,CAAC;CACpD;AAYD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,EAAE,cAAc,GAAG,kBAAkB,EAAE,CAE1G;AAED,0GAA0G;AAC1G,UAAU,mBAAmB;IAC3B,SAAS,EAAE,KAAK,CAAC;IACjB,aAAa,EAAE;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/C,UAAU,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;KAAE,CAAC,CAAC;CAC3D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,mBAAmB,CAMhF"}

package/dist/components/AdminLayout.svelte

@@ -1,7 +1,7 @@
 <script lang="ts">
   // Neutral admin chrome, shared across sites so the tool looks identical everywhere (only the
   // adapter's siteName varies). When signed in it's a responsive DaisyUI drawer+navbar shell
-  // (`drawer lg:drawer-open` — sidebar pinned on desktop, slide-over + hamburger on mobile),
+  // (`drawer lg:drawer-open`, sidebar pinned on desktop, slide-over + hamburger on mobile),
   // patterned on scosman/CMSaasStarter's `(admin)/(menu)` layout. The nav is data-driven and
   // role-gated, so a new surface is one entry in `nav` (plus its route + component). Signed out
   // (the login page lives under this layout) it falls back to a minimal centered shell.
@@ -22,7 +22,7 @@
     label: string;
     icon: Snippet;
     active: boolean;
-    /** Owner-only surface — hidden from regular editors. */
+    /** Owner-only surface; hidden from regular editors. */
     owner?: boolean;
   }
 
@@ -73,7 +73,7 @@
     <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
 
     <div class="drawer-content">
-      <!-- Mobile top bar — the desktop sidebar replaces this at lg. -->
+      <!-- Mobile top bar; the desktop sidebar replaces this at lg. -->
       <div class="navbar bg-base-100 lg:hidden">
         <div class="flex-1">
           <span class="px-2 text-xl font-bold">{data.siteName} CMS</span>

package/dist/components/AdminList.svelte

@@ -1,7 +1,7 @@
 <script lang="ts">
   // The /admin content list: every collection's files, linking into the editor. Data comes
   // from `adminListLoad` (collections) merged with `adminLayoutLoad` (siteName). The shell
-  // (AdminLayout) owns the chrome — site title, signed-in identity, nav, sign out — so this
+  // (AdminLayout) owns the chrome (site title, signed-in identity, nav, sign out), so this
   // page renders only the content body.
   import type { AdminCollectionList } from '../sveltekit';
 

package/dist/components/ConfirmPage.svelte

@@ -1,6 +1,6 @@
 <script lang="ts">
-  // The scanner-safe confirm surface (C2). A GET renders this static page — nothing is consumed.
-  // The token rides in a hidden field; only the explicit form POST (the route's default action →
+  // The scanner-safe confirm surface (C2). A GET renders this static page and consumes nothing.
+  // The token rides in a hidden field; only the explicit form POST (the route's default action,
   // confirmSignIn) verifies it. Mail scanners GET URLs but don't submit forms, so prefetch can't
   // burn the link. JS-free by design.
   interface Props {

package/dist/components/EditPage.svelte

@@ -13,21 +13,21 @@
 
   // Body is editable state; the Carta editor's preview runs the exact site plugin set, so it
   // matches the live page. A hidden input carries the current value into the form.
-  // svelte-ignore state_referenced_locally — seeding from the initial load is intended.
+  // svelte-ignore state_referenced_locally (seeding from the initial load is intended)
   let body = $state(data.body);
 
-  // svelte-ignore state_referenced_locally — the preview plugin set is fixed for the load.
+  // svelte-ignore state_referenced_locally (the preview plugin set is fixed for the load)
   const carta = new Carta(previewCartaOptions(preview));
 
   // Carta's MarkdownEditor must not render on the worker (it pulls Shiki). onMount fires only
-  // in the browser, so SSR renders the plain textarea and the client swaps in the editor —
-  // the kit-free equivalent of the per-site route's `$app/environment` `browser` guard.
+  // in the browser, so SSR renders the plain textarea and the client swaps in the editor.
+  // This is the kit-free equivalent of the per-site route's `$app/environment` `browser` guard.
   let mounted = $state(false);
   onMount(() => {
     mounted = true;
   });
 
-  // svelte-ignore state_referenced_locally — form defaults from the initial load.
+  // svelte-ignore state_referenced_locally (form defaults from the initial load)
   const fm = data.frontmatter as Record<string, unknown>;
 
   function fmString(key: string): string {

package/dist/components/LoginPage.svelte

@@ -1,13 +1,13 @@
 <script lang="ts">
   // The magic-link sign-in page. Requests a link via the better-auth client (client-side, same
-  // origin). To avoid enumeration the UI shows the SAME neutral copy whether or not the email is
-  // on the allowlist — the server only emails actual editors (see auth/config.ts send gate).
+  // origin). To avoid enumeration the UI shows the same neutral copy whether or not the email is
+  // on the allowlist. The server only emails actual editors (see auth/config.ts send gate).
   import { createAuthClient } from 'better-auth/svelte';
   import { magicLinkClient } from 'better-auth/client/plugins';
 
   // The browser client lives in the one component that needs it (requesting a link). Sign-out
-  // and editor management go through server endpoints, so no shared client module is needed —
-  // and a component-local const keeps better-auth's deep client types out of the packaged .d.ts.
+  // and editor management go through server endpoints, so no shared client module is needed.
+  // A component-local const keeps better-auth's deep client types out of the packaged .d.ts.
   const authClient = createAuthClient({ plugins: [magicLinkClient()] });
 
   interface Props {
@@ -23,7 +23,7 @@
     event.preventDefault();
     busy = true;
     // The magic-link email points at our /admin/auth/confirm page (built in config.ts), not a
-    // GET-verify URL — so the result is the same regardless of allowlist membership.
+    // GET-verify URL, so the result is the same regardless of allowlist membership.
     await authClient.signIn.magicLink({ email });
     busy = false;
     requested = true;

package/dist/email.js

@@ -1,9 +1,9 @@
 // cairn-core: pluggable magic-link email sender.
 //
-// Default adapter is Cloudflare Email Service → Email Sending (transactional, arbitrary
-// recipients) — distinct from Email Routing's recipient-restricted `EmailMessage` flow.
-// It is reached through the same `send_email` binding (configured without a
-// destination_address) but a different call shape: `binding.send({ to, from, ... })`.
+// The default adapter targets Cloudflare Email Service (Email Sending, transactional,
+// arbitrary recipients), distinct from Email Routing's recipient-restricted `EmailMessage`
+// flow. Both share the same `send_email` binding (configured without a destination_address)
+// but use a different call shape: `binding.send({ to, from, ... })`.
 // Resend can slot in behind the same `sendMagicLink` signature if needed.
 export async function sendMagicLink(sender, to, link, siteName, from) {
     const expiry = "This link expires in 10 minutes and works only once. If you didn't request it, ignore this email.";

package/dist/github.d.ts

@@ -27,7 +27,7 @@ export declare function appJwt(appId: string, privateKeyPem: string): Promise<st
 export interface AppCredentials {
     appId: string;
     installationId: string;
-    /** The stored GITHUB_APP_PRIVATE_KEY_B64 — base64 of the PEM, single line. */
+    /** The stored GITHUB_APP_PRIVATE_KEY_B64: base64 of the PEM, single line. */
     privateKeyB64: string;
 }
 /** Exchange the App JWT for a short-lived installation access token. */
@@ -38,15 +38,35 @@ export interface CommitAuthor {
     name: string;
     email: string;
 }
+/**
+ * A concurrent edit lost the SHA race (C3): the file changed between the read and the PUT,
+ * from another editor or the site's own CI. Thrown so callers can fail safe (re-fetch and ask
+ * the editor to reapply) instead of surfacing a raw 409. Defined and caught inside the package
+ * so `instanceof` is reliable (no peer-boundary identity split, unlike kit's `redirect`/`error`).
+ */
+export declare class CommitConflictError extends Error {
+    readonly path: string;
+    constructor(path: string);
+}
 /**
  * Commit `content` to `path` on the configured branch via the contents API. Author is the
  * editor; committer is omitted so GitHub attributes it to the App (cairn-cms[bot]). Updates
  * the file in place when it exists (passing its sha), creates it otherwise. Returns the
- * commit sha.
+ * commit sha. A stale-sha 409 (someone committed in between) becomes a `CommitConflictError`.
  */
 export declare function commitFile(repo: RepoRef, path: string, content: string, opts: {
     message: string;
     author: CommitAuthor;
 }, token: string): Promise<string>;
+/**
+ * Deploy-time self-test for the GitHub App signer (M2): sign a dummy JWT with the configured
+ * private key. Exercises the brittle PKCS#1→PKCS#8 conversion + Web Crypto import/sign without
+ * any network call or secret in the result, so `/admin/healthz` catches a bad/rotated key
+ * before an editor's save fails. Returns `{ ok: false, detail }` rather than throwing.
+ */
+export declare function signingSelfTest(appId: string, privateKeyB64: string): Promise<{
+    ok: boolean;
+    detail?: string;
+}>;
 export {};
 //# sourceMappingURL=github.d.ts.map

package/dist/github.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../src/lib/github.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,4FAA4F;AAC5F,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAcD,mFAAmF;AACnF,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,uFAAuF;AACvF,wBAAgB,aAAa,CAAC,OAAO,EAAE,aAAa,EAAE,GAAG,QAAQ,EAAE,CAKlE;AAED,yDAAyD;AACzD,wBAAsB,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAIlG;AAED,iEAAiE;AACjE,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKjG;AAqCD,wFAAwF;AACxF,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAclF;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,8EAA8E;IAC9E,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,wEAAwE;AACxE,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ9E;AAOD,+EAA+E;AAC/E,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKhG;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,OAAO,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,EAC/C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAgBjB"}
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../src/lib/github.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,4FAA4F;AAC5F,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAcD,mFAAmF;AACnF,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,uFAAuF;AACvF,wBAAgB,aAAa,CAAC,OAAO,EAAE,aAAa,EAAE,GAAG,QAAQ,EAAE,CAKlE;AAED,yDAAyD;AACzD,wBAAsB,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAIlG;AAED,iEAAiE;AACjE,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKjG;AAqCD,wFAAwF;AACxF,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAclF;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,wEAAwE;AACxE,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ9E;AAOD,+EAA+E;AAC/E,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKhG;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;aAChB,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM;CAIzC;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,OAAO,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,EAC/C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAmBjB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAQrH"}

package/dist/github.js

@@ -2,8 +2,8 @@
 //
 // Reads (Pass B) list a collection directory and fetch a file's raw markdown; the token
 // is optional because ecnordic's repo is public. Writes (Pass C) mint a short-lived
-// GitHub App installation token — App JWT (RS256) signed with Web Crypto, no octokit
-// dependency — and commit through the contents API with author = editor, committer = the
+// GitHub App installation token (App JWT, RS256 signed with Web Crypto, no octokit
+// dependency) and commit through the contents API with author = editor, committer = the
 // App (cairn-cms[bot]). The same token also lifts reads to the authenticated rate limit
 // and unlocks private repos (e.g. 907-life).
 import { bytesToB64url } from './utils';
@@ -64,7 +64,7 @@ function derLength(n) {
 }
 // AlgorithmIdentifier for rsaEncryption (OID 1.2.840.113549.1.1.1) with NULL parameters.
 const RSA_ALG_ID = [0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00];
-/** Wrap a PKCS#1 RSAPrivateKey (DER) as PKCS#8 — the only RSA form Web Crypto importKey takes. */
+/** Wrap a PKCS#1 RSAPrivateKey (DER) as PKCS#8 (the only RSA form Web Crypto importKey takes). */
 function pkcs1ToPkcs8(pkcs1) {
     const octet = [0x04, ...derLength(pkcs1.length), ...pkcs1];
     const body = [0x02, 0x01, 0x00, ...RSA_ALG_ID, ...octet];
@@ -97,7 +97,7 @@ export async function installationToken(creds) {
         throw new Error(`GitHub installation token failed: ${res.status}`);
     return (await res.json()).token;
 }
-/** Standard (padded) base64 of UTF-8 text — the encoding the contents API expects. */
+/** Standard (padded) base64 of UTF-8 text, as the contents API expects. */
 function toBase64(text) {
     return btoa(Array.from(encoder.encode(text), (b) => String.fromCharCode(b)).join(''));
 }
@@ -110,11 +110,25 @@ export async function fileSha(repo, path, token) {
         throw new Error(`GitHub stat ${path} failed: ${res.status}`);
     return (await res.json()).sha;
 }
+/**
+ * A concurrent edit lost the SHA race (C3): the file changed between the read and the PUT,
+ * from another editor or the site's own CI. Thrown so callers can fail safe (re-fetch and ask
+ * the editor to reapply) instead of surfacing a raw 409. Defined and caught inside the package
+ * so `instanceof` is reliable (no peer-boundary identity split, unlike kit's `redirect`/`error`).
+ */
+export class CommitConflictError extends Error {
+    path;
+    constructor(path) {
+        super(`Commit conflict on ${path}: it changed since it was opened`);
+        this.path = path;
+        this.name = 'CommitConflictError';
+    }
+}
 /**
  * Commit `content` to `path` on the configured branch via the contents API. Author is the
  * editor; committer is omitted so GitHub attributes it to the App (cairn-cms[bot]). Updates
  * the file in place when it exists (passing its sha), creates it otherwise. Returns the
- * commit sha.
+ * commit sha. A stale-sha 409 (someone committed in between) becomes a `CommitConflictError`.
  */
 export async function commitFile(repo, path, content, opts, token) {
     const sha = await fileSha(repo, path, token);
@@ -130,7 +144,28 @@ export async function commitFile(repo, path, content, opts, token) {
             ...(sha ? { sha } : {}),
         }),
     });
+    // 409 = the blob sha we read is no longer current. Fail safe: the caller re-fetches and the
+    // editor reapplies. (Full three-way merge stays out of scope; see ARCHITECTURE §5.)
+    if (res.status === 409)
+        throw new CommitConflictError(path);
     if (!res.ok)
         throw new Error(`GitHub commit ${path} failed: ${res.status} ${await res.text()}`);
     return (await res.json()).commit.sha;
 }
+/**
+ * Deploy-time self-test for the GitHub App signer (M2): sign a dummy JWT with the configured
+ * private key. Exercises the brittle PKCS#1→PKCS#8 conversion + Web Crypto import/sign without
+ * any network call or secret in the result, so `/admin/healthz` catches a bad/rotated key
+ * before an editor's save fails. Returns `{ ok: false, detail }` rather than throwing.
+ */
+export async function signingSelfTest(appId, privateKeyB64) {
+    try {
+        const jwt = await appJwt(appId, atob(privateKeyB64));
+        if (jwt.split('.').length !== 3)
+            return { ok: false, detail: 'malformed JWT' };
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, detail: err instanceof Error ? err.message : 'sign failed' };
+    }
+}

package/dist/index.d.ts

@@ -3,4 +3,5 @@ export * from './github';
 export * from './carta';
 export * from './content';
 export * from './adapter';
+export * from './render';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAEA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAEA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,UAAU,CAAC"}

package/dist/index.js

@@ -5,3 +5,4 @@ export * from './github';
 export * from './carta';
 export * from './content';
 export * from './adapter';
+export * from './render';

package/dist/render/glyph.d.ts

@@ -0,0 +1,6 @@
+import type { Element } from 'hast';
+/** A glyph name → SVG path-data map (the site owns the icon set). */
+export type IconSet = Record<string, string>;
+/** Inline SVG glyph as a real hast node: class ec-glyph, 256 viewBox, currentColor fill. */
+export declare function glyph(name: string, icons: IconSet): Element;
+//# sourceMappingURL=glyph.d.ts.map

package/dist/render/glyph.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"glyph.d.ts","sourceRoot":"","sources":["../../src/lib/render/glyph.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,qEAAqE;AACrE,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAE7C,4FAA4F;AAC5F,wBAAgB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAM3D"}

package/dist/render/glyph.js

@@ -0,0 +1,5 @@
+import { s } from 'hastscript';
+/** Inline SVG glyph as a real hast node: class ec-glyph, 256 viewBox, currentColor fill. */
+export function glyph(name, icons) {
+    return s('svg', { className: ['ec-glyph'], viewBox: '0 0 256 256', fill: 'currentColor', ariaHidden: 'true' }, [s('path', { d: icons[name] })]);
+}

package/dist/render/index.d.ts

@@ -0,0 +1,6 @@
+export * from './registry';
+export * from './glyph';
+export * from './remark-directives';
+export * from './rehype-dispatch';
+export * from './pipeline';
+//# sourceMappingURL=index.d.ts.map

package/dist/render/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/render/index.ts"],"names":[],"mappings":"AAGA,cAAc,YAAY,CAAC;AAC3B,cAAc,SAAS,CAAC;AACxB,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,YAAY,CAAC"}

package/dist/render/index.js

@@ -0,0 +1,8 @@
+// cairn-cms render engine: a directive-driven markdown → HTML pipeline whose
+// component vocabulary is supplied by a site's component registry. The site owns the
+// component builders, class names, icon set, and CSS; the engine owns the machinery.
+export * from './registry';
+export * from './glyph';
+export * from './remark-directives';
+export * from './rehype-dispatch';
+export * from './pipeline';

package/dist/render/pipeline.d.ts

@@ -0,0 +1,16 @@
+import { type PluggableList } from 'unified';
+import type { ComponentRegistry } from './registry';
+export interface RendererOptions {
+    /** A site's per-index motion formula for the top-level rise stagger
+     *  (e.g. ecnordic's `(i) => '--rise:' + …`). Omit for no stagger. */
+    rise?: (idx: number) => string;
+}
+/** Compose a site's render pipeline from its component registry: directive syntax →
+ *  stamped markers → registry-built hast. Returns `renderMarkdown` plus the remark/
+ *  rehype plugin arrays (so the Carta editor preview can reuse the exact same set). */
+export declare function createRenderer(registry: ComponentRegistry, options?: RendererOptions): {
+    remarkPlugins: PluggableList;
+    rehypePlugins: PluggableList;
+    renderMarkdown: (content: string) => Promise<string>;
+};
+//# sourceMappingURL=pipeline.d.ts.map

package/dist/render/pipeline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/lib/render/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAW,KAAK,aAAa,EAAE,MAAM,SAAS,CAAC;AAUtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,MAAM,WAAW,eAAe;IAC/B;yEACqE;IACrE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;CAC/B;AAED;;uFAEuF;AACvF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,GAAE,eAAoB;;;8BAavD,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;EAEzD"}

package/dist/render/pipeline.js

@@ -0,0 +1,29 @@
+import { unified } from 'unified';
+import remarkParse from 'remark-parse';
+import remarkGfm from 'remark-gfm';
+import remarkDirective from 'remark-directive';
+import remarkRehype from 'remark-rehype';
+import rehypeRaw from 'rehype-raw';
+import rehypeSlug from 'rehype-slug';
+import rehypeStringify from 'rehype-stringify';
+import { remarkDirectiveStamp } from './remark-directives';
+import { rehypeDispatch } from './rehype-dispatch';
+/** Compose a site's render pipeline from its component registry: directive syntax →
+ *  stamped markers → registry-built hast. Returns `renderMarkdown` plus the remark/
+ *  rehype plugin arrays (so the Carta editor preview can reuse the exact same set). */
+export function createRenderer(registry, options = {}) {
+    const remarkPlugins = [remarkDirective, [remarkDirectiveStamp, registry]];
+    const rehypePlugins = [rehypeRaw, [rehypeDispatch, registry, options.rise], rehypeSlug];
+    const processor = unified()
+        .use(remarkParse)
+        .use(remarkGfm)
+        .use(remarkPlugins)
+        .use(remarkRehype, { allowDangerousHtml: true })
+        .use(rehypePlugins)
+        .use(rehypeStringify);
+    return {
+        remarkPlugins,
+        rehypePlugins,
+        renderMarkdown: async (content) => String(await processor.process(content)),
+    };
+}