@glw907/cairn-cms 0.4.0 → 0.5.1

package/README.md

@@ -2,18 +2,18 @@
 
 An embedded, **magic-link**, GitHub-committing CMS for SvelteKit + Cloudflare sites.
 Non-technical authors log in by email (no GitHub account, no password), edit **raw
-markdown** in a [Carta](https://github.com/BearToCode/carta) editor, and save — which
+markdown** in a [Carta](https://github.com/BearToCode/carta) editor, and save. Each save
 commits to `main` via a **GitHub App** (committer = `cairn-cms[bot]`, author = the editor)
 and auto-deploys.
 
 It is **design-agnostic**: each consumer site supplies an adapter (collections, slug
 convention, frontmatter schema, and its own `renderPreview(md)`), so the same engine drives
-sites with completely different markdown pipelines — e.g. [ecnordic.ski](https://ecnordic.ski)
-(remark→rehype directive pipeline) and [907.life](https://907.life) (plain `remark-html`).
+sites with completely different markdown pipelines (e.g. [ecnordic.ski](https://ecnordic.ski)
+(remark→rehype directive pipeline) and [907.life](https://907.life) (plain `remark-html`)).
 
 ## Status
 
-**`0.4.x` — auth on [better-auth](https://better-auth.com); API not yet frozen.** The core was
+**`0.4.x`: auth on [better-auth](https://better-auth.com); API not yet frozen.** The core was
 built *inside ecnordic.ski first* (the richer proving ground) with the cairn-core ↔ site-adapter
 seams designed in from day one, then extracted into this package and validated on a second design
 (907.life). Editor auth runs on **better-auth (Cloudflare D1 + magic-link)** behind a scanner-safe

package/dist/adapter.d.ts

@@ -1,5 +1,6 @@
 import type { PreviewPlugins } from './carta';
 import type { RepoRef } from './github';
+import type { ComponentRegistry } from './render';
 interface FieldBase {
     /** Frontmatter key and form input name. */
     name: string;
@@ -34,6 +35,13 @@ export interface CairnCollection {
     /** Route `[type]` segment and list key, e.g. `posts`. */
     type: string;
     label: string;
+    /**
+     * Editing shape. `story` (the default when absent) is a dated feed entry; `page` is a
+     * navigation-placed entry with a path-like slug and no date emphasis. Drives the create
+     * form and the editor header. Never gates editing capability: the palette and toolbar are
+     * available to both. (Pass K, R4.)
+     */
+    kind?: 'page' | 'story';
     /** Repo-relative folder holding the collection's markdown files. */
     dir: string;
     /** Editor form fields, rendered in order. */
@@ -41,16 +49,41 @@ export interface CairnCollection {
     /** Validate raw frontmatter (from the form) into the on-disk object, throwing on error. */
     validate(data: Record<string, unknown>, source: string): object;
 }
+/** A managed navigation menu, read from and committed to the site's YAML config file. */
+export interface NavMenuConfig {
+    /** Repo-relative path to the site-config YAML, e.g. 'src/lib/site.config.yaml'. */
+    configPath: string;
+    /** Key within the file's `menus` map, e.g. 'primary'. */
+    menuName: string;
+    /** Sidebar/admin label for the menu. */
+    label: string;
+    /** Max nesting depth allowed in the editor (1 = flat). Defaults to 2. */
+    maxDepth?: number;
+}
 export interface CairnAdapter {
     /** Branding + magic-link email copy. */
     siteName: string;
-    /** From: address for magic-link email — a domain-authenticated sender. */
+    /** From: address for magic-link email (must be a domain-authenticated sender). */
     sender: string;
     /** The repository the admin reads content from and commits to. */
     backend: RepoRef;
     /** Site plugin set for the Carta preview (parity with the live render). */
     preview: PreviewPlugins;
     collections: CairnCollection[];
+    /**
+     * The site's component registry: the single declaration of its directive
+     * components (R10a). Rendering parity already flows through `preview`; this
+     * exposes the same registry so the editor's insert-component palette can read
+     * `registry.defs`. Optional: a site with no rich components (e.g. 907.life) may
+     * omit it or supply an empty registry.
+     */
+    registry?: ComponentRegistry;
+    /**
+     * The navigation menu this site manages from `/admin/nav` (R3/Pass L2). The menu lives in the
+     * site's git-committed YAML config (read at build time by the layout, committed back by the
+     * editor). Omit to hide the nav surface, the same opt-in shape as `registry`.
+     */
+    navMenu?: NavMenuConfig;
 }
 /** Look up a collection by its route segment, or undefined if the segment is unknown. */
 export declare function findCollection(adapter: CairnAdapter, type: string): CairnCollection | undefined;

package/dist/adapter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/lib/adapter.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAExC,UAAU,SAAS;IACjB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,IAAI,EAAE,SAAS,CAAC;CACjB;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,2FAA2F;IAC3F,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,aAAa,GACb,YAAY,GACZ,SAAS,GACT,aAAa,CAAC;AAElB,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;IACZ,6CAA6C;IAC7C,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CACjE;AAED,MAAM,WAAW,YAAY;IAC3B,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,0EAA0E;IAC1E,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,eAAe,EAAE,CAAC;CAChC;AAED,yFAAyF;AACzF,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAE/F;AAED,0FAA0F;AAC1F,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,eAAe,EAC3B,IAAI,EAAE,QAAQ,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA0BzB"}
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/lib/adapter.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAElD,UAAU,SAAS;IACjB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,IAAI,EAAE,SAAS,CAAC;CACjB;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,2FAA2F;IAC3F,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,aAAa,GACb,YAAY,GACZ,SAAS,GACT,aAAa,CAAC;AAElB,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd;;;;;OAKG;IACH,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACxB,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;IACZ,6CAA6C;IAC7C,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CACjE;AAED,yFAAyF;AACzF,MAAM,WAAW,aAAa;IAC5B,mFAAmF;IACnF,UAAU,EAAE,MAAM,CAAC;IACnB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,yEAAyE;IACzE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B;;;;OAIG;IACH,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB;AAED,yFAAyF;AACzF,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAE/F;AAED,0FAA0F;AAC1F,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,eAAe,EAC3B,IAAI,EAAE,QAAQ,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA0BzB"}

package/dist/auth/capabilities.d.ts

@@ -0,0 +1,7 @@
+import type { CairnUser } from './guard';
+export type Capability = 'story:create' | 'story:edit' | 'page:edit' | 'page:create' | 'nav:manage' | 'user:manage';
+/** Does this user hold the capability? A signed-out (null) user holds nothing. */
+export declare function can(user: CairnUser | null, cap: Capability): boolean;
+/** Assert the capability for a route load/action: 401 when signed out, 403 when under-privileged. */
+export declare function requireCapability(user: CairnUser | null, cap: Capability): CairnUser;
+//# sourceMappingURL=capabilities.d.ts.map

package/dist/auth/capabilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"","sources":["../../src/lib/auth/capabilities.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,MAAM,MAAM,UAAU,GAClB,cAAc,GACd,YAAY,GACZ,WAAW,GACX,aAAa,GACb,YAAY,GACZ,aAAa,CAAC;AASlB,kFAAkF;AAClF,wBAAgB,GAAG,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAIpE;AAED,qGAAqG;AACrG,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE,UAAU,GAAG,SAAS,CAIpF"}

package/dist/auth/capabilities.js

@@ -0,0 +1,26 @@
+// cairn-core: capability checks. Management surfaces gate on a capability, not on a role name,
+// so the two-tier owner/editor model can grow finer capabilities (and a future role) additively.
+// Creating a page and changing the nav are structural acts, so they sit with owner; editing a
+// page's content and running the story feed are everyday editor work.
+import { error } from '@sveltejs/kit';
+// One source of truth. `'all'` means every capability; otherwise the explicit grant list. A future
+// `manager` role is one more row here, no call-site changes.
+const CAPS_BY_ROLE = {
+    owner: 'all',
+    editor: ['story:create', 'story:edit', 'page:edit'],
+};
+/** Does this user hold the capability? A signed-out (null) user holds nothing. */
+export function can(user, cap) {
+    if (!user)
+        return false;
+    const grants = CAPS_BY_ROLE[user.role];
+    return grants === 'all' || grants.includes(cap);
+}
+/** Assert the capability for a route load/action: 401 when signed out, 403 when under-privileged. */
+export function requireCapability(user, cap) {
+    if (!user)
+        throw error(401, 'Not signed in');
+    if (!can(user, cap))
+        throw error(403, 'You do not have permission to do that');
+    return user;
+}

package/dist/auth/config.d.ts

@@ -17,16 +17,16 @@ export interface AuthBranding {
     /** The `From:` address used when sending magic-link emails. */
     sender: string;
 }
-/** The drizzle adapter result `betterAuth` consumes — the same provider/schema everywhere. */
+/** The drizzle adapter result `betterAuth` consumes (same provider/schema everywhere). */
 type DrizzleDb = Parameters<typeof drizzleAdapter>[0];
 /**
  * The shared better-auth config. Kept separate from `createAuth` so the test harness can run
  * the EXACT plugin set (allowlist semantics, expiry, POST-confirm send) over an in-memory
- * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist —
+ * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist:
  * magic-link never auto-creates, so the only way in is the owner-gated admin `createUser`
  * (see auth/admins.ts). `adminRoles:['owner']` lets owners (not the default `admin` role)
  * drive the admin API. Tokens are stored hashed and consumed atomically on first verify
- * (better-auth GHSA-hc7v-rggr-4hvx) — single-use by construction (C1).
+ * (better-auth GHSA-hc7v-rggr-4hvx), single-use by construction (C1).
  */
 export declare function buildAuth(opts: {
     database: DrizzleDb;
@@ -185,7 +185,7 @@ export declare function buildAuth(opts: {
                                 userId: string;
                                 expiresAt: Date;
                                 token: string;
-                                ipAddress? /** The `From:` address used when sending magic-link emails. */: string | null | undefined;
+                                ipAddress?: string | null | undefined;
                                 userAgent?: string | null | undefined;
                             } & Record<string, unknown>, ctx: import("better-auth").GenericEndpointContext | null): Promise<void>;
                         };
@@ -956,8 +956,8 @@ export declare function buildAuth(opts: {
                     $Infer: {
                         body: {
                             permissions: {
-                                readonly user?: ("create" | "list" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "delete" | "set-password" | "get" | "update")[] | undefined;
-                                readonly session?: ("list" | "delete" | "revoke")[] | undefined;
+                                readonly user?: ("delete" | "list" | "create" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "set-password" | "get" | "update")[] | undefined;
+                                readonly session?: ("delete" | "list" | "revoke")[] | undefined;
                             };
                         } & {
                             userId?: string | undefined;
@@ -1217,7 +1217,7 @@ export declare function createAuth(env: AuthEnv, branding: AuthBranding): import
                                 userId: string;
                                 expiresAt: Date;
                                 token: string;
-                                ipAddress? /** The `From:` address used when sending magic-link emails. */: string | null | undefined;
+                                ipAddress?: string | null | undefined;
                                 userAgent?: string | null | undefined;
                             } & Record<string, unknown>, ctx: import("better-auth").GenericEndpointContext | null): Promise<void>;
                         };
@@ -1988,8 +1988,8 @@ export declare function createAuth(env: AuthEnv, branding: AuthBranding): import
                     $Infer: {
                         body: {
                             permissions: {
-                                readonly user?: ("create" | "list" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "delete" | "set-password" | "get" | "update")[] | undefined;
-                                readonly session?: ("list" | "delete" | "revoke")[] | undefined;
+                                readonly user?: ("delete" | "list" | "create" | "set-role" | "ban" | "impersonate" | "impersonate-admins" | "set-password" | "get" | "update")[] | undefined;
+                                readonly session?: ("delete" | "list" | "revoke")[] | undefined;
                             };
                         } & {
                             userId?: string | undefined;

package/dist/auth/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/auth/config.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAK9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AAU3D,2FAA2F;AAC3F,MAAM,WAAW,OAAO;IACtB,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yEAAyE;IACzE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4FAA4F;IAC5F,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAED,qFAAqF;AACrF,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,8FAA8F;AAC9F,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;AAEtD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAmD8R,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5F/d,CAAC;;;;;;;;;yCAUtE,CADC;;;;;;;;;;;;;;;yCAWD,CADD,CAAC,+DAA+D;yCAAZ,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2B5C,CAAC;qCACc,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgC6B,CAAC;qCAErC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAW02E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA1B70hB;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAkBgO,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5F/d,CAAC;;;;;;;;;yCAUtE,CADC;;;;;;;;;;;;;;;yCAWD,CADD,CAAC,+DAA+D;yCAAZ,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2B5C,CAAC;qCACc,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgC6B,CAAC;qCAErC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAW02E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAH70hB;AAED,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/auth/config.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAK9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AAU3D,2FAA2F;AAC3F,MAAM,WAAW,OAAO;IACtB,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yEAAyE;IACzE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4FAA4F;IAC5F,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAED,qFAAqF;AACrF,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,0FAA0F;AAC1F,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;AAEtD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAmD0S,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5Fxe,CAAC;;;;;;;;;yCASpE,CAAC;;;;;;;;;;;;;;;yCAUF,CAAA;yCAAoD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2BtC,CAAC;qCAEf,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgCJ,CAAF;qCAEE,CAAD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAUu4E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA1Bz1hB;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAkB4O,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5Fxe,CAAC;;;;;;;;;yCASpE,CAAC;;;;;;;;;;;;;;;yCAUF,CAAA;yCAAoD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2BtC,CAAC;qCAEf,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgCJ,CAAF;qCAEE,CAAD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAUu4E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAHz1hB;AAED,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC"}

package/dist/auth/config.js

@@ -1,5 +1,5 @@
 // cairn-core: the better-auth instance. Auth is engine code (engine-fat rule), so the whole
-// config — Drizzle/D1 adapter, magic-link (POST-confirm-shaped send), admin roles — lives here.
+// config lives here: Drizzle/D1 adapter, magic-link (POST-confirm-shaped send), admin roles.
 // Instantiated PER REQUEST in hooks.server.ts (the D1 binding is request-scoped); the factory
 // is cheap (no I/O at construction).
 import { betterAuth } from 'better-auth';
@@ -12,18 +12,18 @@ import { sendMagicLink } from '../email';
 import * as schema from './schema';
 // Two-tier roles on the admin plugin's access-control system: `owner` holds every admin
 // statement (manage editors, revoke sessions); `editor` holds none (content-only). `adminRoles`
-// must name a role defined here, so owner — not the plugin's built-in `admin` — is the gate.
+// must name a role defined here, so owner (not the plugin's built-in `admin`) is the gate.
 const ac = createAccessControl(defaultStatements);
 const owner = ac.newRole(defaultStatements);
 const editor = ac.newRole({});
 /**
  * The shared better-auth config. Kept separate from `createAuth` so the test harness can run
  * the EXACT plugin set (allowlist semantics, expiry, POST-confirm send) over an in-memory
- * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist —
+ * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist:
  * magic-link never auto-creates, so the only way in is the owner-gated admin `createUser`
  * (see auth/admins.ts). `adminRoles:['owner']` lets owners (not the default `admin` role)
  * drive the admin API. Tokens are stored hashed and consumed atomically on first verify
- * (better-auth GHSA-hc7v-rggr-4hvx) — single-use by construction (C1).
+ * (better-auth GHSA-hc7v-rggr-4hvx), single-use by construction (C1).
  */
 export function buildAuth(opts) {
     return betterAuth({
@@ -40,7 +40,7 @@ export function buildAuth(opts) {
                 sendMagicLink: async ({ email, token }, ctx) => {
                     // Allowlist gate: better-auth always fires this callback (even for unknown emails, to
                     // avoid enumeration) and only blocks user creation at verify. So gate the actual send
-                    // here — never email a non-editor. The login UI shows neutral copy either way, so this
+                    // here. Never email a non-editor. The login UI shows neutral copy either way, so this
                     // leaks nothing; it just stops strangers receiving a dead link.
                     const existing = await ctx?.context.internalAdapter.findUserByEmail(email);
                     if (!existing?.user)

package/dist/auth/guard.d.ts

@@ -1,5 +1,5 @@
 import type { Auth } from './config';
-/** The session shape the whole admin reads — layout, guards, content fns, manage-editors. */
+/** The session shape the whole admin reads: layout, guards, content fns, manage-editors. */
 export interface CairnUser {
     id: string;
     email: string;

package/dist/auth/guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/auth/guard.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAErC,6FAA6F;AAC7F,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC1B;AAED,gEAAgE;AAChE,wBAAsB,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAKzF;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAGhE;AAED,KAAK,YAAY,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AAE3E;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,CAa1E;AAED,4FAA4F;AAC5F,wBAAsB,OAAO,CAAC,KAAK,EAAE;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAQpG"}
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/auth/guard.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAErC,4FAA4F;AAC5F,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC1B;AAED,gEAAgE;AAChE,wBAAsB,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAKzF;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAGhE;AAED,KAAK,YAAY,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AAE3E;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,CAa1E;AAED,4FAA4F;AAC5F,wBAAsB,OAAO,CAAC,KAAK,EAAE;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAQpG"}

package/dist/auth/guard.js

@@ -1,6 +1,6 @@
 // cairn-core: server-side auth helpers the site route shims delegate to. Each takes the
-// SvelteKit event (typed structurally, so the package never depends on a site's generated
-// `App.*` ambient types) plus the per-request `Auth` from `locals`.
+// SvelteKit event, typed structurally so the package never depends on a site's generated
+// `App.*` ambient types, plus the per-request `Auth` from `locals`.
 import { redirect } from '@sveltejs/kit';
 /** Read the better-auth session into a cairn user (or null). */
 export async function loadSession(auth, request) {

package/dist/auth/index.d.ts

@@ -1,4 +1,5 @@
 export { createAuth, type Auth, type AuthEnv, type AuthBranding } from './config';
 export { loadSession, requireSession, confirmSignIn, signOut, type CairnUser } from './guard';
 export { adminsLoad, addAdmin, removeAdmin, setAdminRole, requireOwner, type AdminsData } from './admins';
+export { can, requireCapability, type Capability } from './capabilities';
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/auth/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,KAAK,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,UAAU,CAAC;AAClF,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,SAAS,CAAC;AAC9F,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/auth/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,KAAK,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,UAAU,CAAC;AAClF,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,SAAS,CAAC;AAC9F,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AAC1G,OAAO,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,UAAU,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/auth/index.js

@@ -4,3 +4,4 @@
 export { createAuth } from './config';
 export { loadSession, requireSession, confirmSignIn, signOut } from './guard';
 export { adminsLoad, addAdmin, removeAdmin, setAdminRole, requireOwner } from './admins';
+export { can, requireCapability } from './capabilities';

package/dist/carta.d.ts

@@ -18,7 +18,7 @@ interface PreviewTransformer {
  * so this ordering reproduces render.ts exactly. Pure (no Carta) so it is unit-testable.
  */
 export declare function previewTransformers({ remarkPlugins, rehypePlugins }: PreviewPlugins): PreviewTransformer[];
-/** Minimal Options subset we populate — avoids importing carta-md (Svelte re-exports). */
+/** Minimal Options subset we populate (avoids importing carta-md, which re-exports Svelte components). */
 interface PreviewCartaOptions {
     sanitizer: false;
     rehypeOptions: {

package/dist/carta.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"carta.d.ts","sourceRoot":"","sources":["../src/lib/carta.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEpD,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,aAAa,EAAE,SAAS,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,SAAS,EAAE,CAAC;CAC5B;AAED,UAAU,kBAAkB;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC1B,SAAS,EAAE,CAAC,GAAG,EAAE;QAAE,SAAS,EAAE,SAAS,CAAA;KAAE,KAAK,IAAI,CAAC;CACpD;AAYD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,EAAE,cAAc,GAAG,kBAAkB,EAAE,CAE1G;AAED,0FAA0F;AAC1F,UAAU,mBAAmB;IAC3B,SAAS,EAAE,KAAK,CAAC;IACjB,aAAa,EAAE;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/C,UAAU,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;KAAE,CAAC,CAAC;CAC3D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,mBAAmB,CAMhF"}
+{"version":3,"file":"carta.d.ts","sourceRoot":"","sources":["../src/lib/carta.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEpD,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,aAAa,EAAE,SAAS,EAAE,CAAC;IAC3B,oDAAoD;IACpD,aAAa,EAAE,SAAS,EAAE,CAAC;CAC5B;AAED,UAAU,kBAAkB;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC1B,SAAS,EAAE,CAAC,GAAG,EAAE;QAAE,SAAS,EAAE,SAAS,CAAA;KAAE,KAAK,IAAI,CAAC;CACpD;AAYD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,EAAE,cAAc,GAAG,kBAAkB,EAAE,CAE1G;AAED,0GAA0G;AAC1G,UAAU,mBAAmB;IAC3B,SAAS,EAAE,KAAK,CAAC;IACjB,aAAa,EAAE;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/C,UAAU,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;KAAE,CAAC,CAAC;CAC3D;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,mBAAmB,CAMhF"}

package/dist/components/AdminLayout.svelte

@@ -1,11 +1,7 @@
 <script lang="ts">
-  // Neutral admin chrome, shared across sites so the tool looks identical everywhere (only the
-  // adapter's siteName varies). When signed in it's a responsive DaisyUI drawer+navbar shell
-  // (`drawer lg:drawer-open` — sidebar pinned on desktop, slide-over + hamburger on mobile),
-  // patterned on scosman/CMSaasStarter's `(admin)/(menu)` layout. The nav is data-driven and
-  // role-gated, so a new surface is one entry in `nav` (plus its route + component). Signed out
-  // (the login page lives under this layout) it falls back to a minimal centered shell.
-  // Each site's `admin/+layout.svelte` is a one-line shim that forwards `data` + `children`.
+  // Neutral admin chrome shared across sites. Signed in: DaisyUI drawer+navbar shell (sidebar
+  // pinned on desktop, slide-over on mobile). Signed out: minimal centered shell. The
+  // `cairn-admin` class on both roots scopes the "Warm Stone" theme; see the style block.
   import type { Snippet } from 'svelte';
   import type { CairnUser } from '../auth';
 
@@ -13,7 +9,14 @@
     data,
     children,
   }: {
-    data: { siteName: string; user: CairnUser | null; pathname: string };
+    data: {
+      siteName: string;
+      user: CairnUser | null;
+      pathname: string;
+      collections: { type: string; label: string }[];
+      navMenus: { name: string; label: string }[];
+      canManageNav: boolean;
+    };
     children: Snippet;
   } = $props();
 
@@ -22,17 +25,22 @@
     label: string;
     icon: Snippet;
     active: boolean;
-    /** Owner-only surface — hidden from regular editors. */
+    /** Owner-only surface; hidden from regular editors. */
     owner?: boolean;
   }
 
   const nav = $derived<NavItem[]>([
-    {
-      href: '/admin',
-      label: 'Content',
+    ...data.collections.map((collection) => ({
+      href: `/admin/${collection.type}`,
+      label: collection.label,
       icon: contentIcon,
-      active: data.pathname === '/admin' || data.pathname.startsWith('/admin/edit'),
-    },
+      active:
+        data.pathname === `/admin/${collection.type}` ||
+        data.pathname.startsWith(`/admin/edit/${collection.type}/`),
+    })),
+    ...(data.canManageNav && data.navMenus.length
+      ? [{ href: '/admin/nav', label: 'Navigation', icon: navIcon, active: data.pathname.startsWith('/admin/nav') }]
+      : []),
     {
       href: '/admin/admins',
       label: 'Editors',
@@ -43,7 +51,7 @@
   ]);
   const visibleNav = $derived(nav.filter((item) => !item.owner || data.user?.role === 'owner'));
 
-  // Close the slide-over after a nav tap on mobile (no-op on desktop where it's pinned open).
+  // Close the slide-over after a nav tap on mobile.
   function closeDrawer(): void {
     const toggle = document.getElementById('admin-drawer');
     if (toggle instanceof HTMLInputElement) toggle.checked = false;
@@ -64,16 +72,23 @@
   </svg>
 {/snippet}
 
+{#snippet navIcon()}
+  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+      d="M4 6h16M4 12h16M4 18h16" />
+  </svg>
+{/snippet}
+
 <svelte:head>
   <meta name="robots" content="noindex, nofollow" />
 </svelte:head>
 
 {#if data.user}
-  <div class="drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
+  <div class="cairn-admin drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
     <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
 
     <div class="drawer-content">
-      <!-- Mobile top bar — the desktop sidebar replaces this at lg. -->
+      <!-- Mobile top bar; the desktop sidebar replaces this at lg. -->
       <div class="navbar bg-base-100 lg:hidden">
         <div class="flex-1">
           <span class="px-2 text-xl font-bold">{data.siteName} CMS</span>
@@ -122,9 +137,50 @@
   </div>
 {:else}
   <!-- Signed out (login page): no nav, just a centered surface. -->
-  <div class="min-h-screen bg-base-200" data-pagefind-ignore>
+  <div class="cairn-admin min-h-screen bg-base-200" data-pagefind-ignore>
     <div class="mx-auto max-w-3xl px-4 py-8">
       {@render children()}
     </div>
   </div>
 {/if}
+
+<style>
+  /* Warm Stone: a neutral, fully self-contained admin theme (R6), light-only. Overriding the
+     DaisyUI v5 tokens + font on this root re-skins the whole admin subtree by inheritance, so
+     the tool looks identical on every host regardless of the site's own theme. Values are OKLCH
+     (no hex/rgb, per the design-system rule). Warm-gray neutrals (hue ~75), violet accent. */
+  .cairn-admin {
+    color-scheme: light;
+    font-family: system-ui, -apple-system, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif;
+
+    --color-base-100: oklch(98.5% 0.004 75);
+    --color-base-200: oklch(96% 0.005 75);
+    --color-base-300: oklch(92% 0.008 75);
+    --color-base-content: oklch(28% 0.012 75);
+
+    --color-primary: oklch(52% 0.20 293);
+    --color-primary-content: oklch(98% 0.012 293);
+    --color-secondary: oklch(45% 0.02 75);
+    --color-secondary-content: oklch(98% 0.004 75);
+    --color-accent: oklch(58% 0.16 300);
+    --color-accent-content: oklch(98% 0.012 300);
+    --color-neutral: oklch(32% 0.012 75);
+    --color-neutral-content: oklch(96% 0.004 75);
+
+    --color-info: oklch(60% 0.12 240);
+    --color-info-content: oklch(98% 0.01 240);
+    --color-success: oklch(58% 0.12 150);
+    --color-success-content: oklch(98% 0.01 150);
+    --color-warning: oklch(75% 0.15 70);
+    --color-warning-content: oklch(25% 0.02 70);
+    --color-error: oklch(58% 0.20 25);
+    --color-error-content: oklch(98% 0.01 25);
+
+    --radius-selector: 0.5rem;
+    --radius-field: 0.5rem;
+    --radius-box: 0.75rem;
+    --size-selector: 0.25rem;
+    --size-field: 0.25rem;
+    --border: 1px;
+  }
+</style>

package/dist/components/AdminLayout.svelte.d.ts

@@ -5,6 +5,15 @@ type $$ComponentProps = {
         siteName: string;
         user: CairnUser | null;
         pathname: string;
+        collections: {
+            type: string;
+            label: string;
+        }[];
+        navMenus: {
+            name: string;
+            label: string;
+        }[];
+        canManageNav: boolean;
     };
     children: Snippet;
 };

package/dist/components/AdminLayout.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAWxC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACrE,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAyHJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}
+{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAWxC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC;QACvB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;QAC/C,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;QAC5C,YAAY,EAAE,OAAO,CAAC;KACvB,CAAC;IACF,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAkIJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/CollectionList.svelte

@@ -0,0 +1,96 @@
+<script lang="ts">
+  // One collection's entries: a table (title, date, draft badge) linking into the editor, plus a
+  // collapsible "New entry" form. The author types a title; the slug stem derives from it (R4) and
+  // stays editable. A story collection also collects a date, which createEntry forwards so the new
+  // entry opens with its date set. Placeholders differ by kind. The shell (AdminLayout) owns the
+  // chrome and nav; this renders only the body.
+  import type { CollectionListData } from '../sveltekit';
+  import { slugify } from '../slug';
+
+  let { data }: { data: CollectionListData } = $props();
+
+  let title = $state('');
+  let slug = $state('');
+  let slugEdited = $state(false);
+
+  // Keep the slug in sync with the title until the author edits the slug directly.
+  function onTitleInput(value: string) {
+    title = value;
+    if (!slugEdited) slug = slugify(value);
+  }
+
+  const slugPlaceholder = $derived(data.kind === 'page' ? 'about-us' : '2026-05-my-entry');
+</script>
+
+<div class="flex items-center justify-between gap-4">
+  <h1 class="text-2xl font-bold">{data.label}</h1>
+  {#if data.canCreate}
+    <details class="dropdown dropdown-end">
+      <summary class="btn btn-primary btn-sm">New entry</summary>
+      <form
+        method="POST"
+        action="?/create"
+        class="dropdown-content z-10 mt-2 flex w-80 flex-col gap-2 rounded-box border border-base-300 bg-base-100 p-4 shadow"
+      >
+        <label class="flex flex-col gap-1">
+          <span class="text-sm font-medium">Title</span>
+          <input
+            type="text"
+            value={title}
+            oninput={(e) => onTitleInput(e.currentTarget.value)}
+            placeholder="A human title"
+            class="input w-full"
+          />
+        </label>
+
+        {#if data.kind === 'story'}
+          <label class="flex flex-col gap-1">
+            <span class="text-sm font-medium">Date</span>
+            <input type="date" name="date" class="input w-full" />
+          </label>
+        {/if}
+
+        <label class="flex flex-col gap-1">
+          <span class="text-sm font-medium">Slug</span>
+          <input
+            type="text"
+            name="id"
+            required
+            bind:value={slug}
+            oninput={() => (slugEdited = true)}
+            placeholder={slugPlaceholder}
+            pattern="[a-z0-9]([a-z0-9-]*[a-z0-9])?"
+            class="input w-full"
+          />
+          <span class="text-xs opacity-60">Lowercase letters, numbers, and hyphens. Becomes the filename.</span>
+        </label>
+
+        <button type="submit" class="btn btn-primary btn-sm">Create &amp; edit</button>
+      </form>
+    </details>
+  {/if}
+</div>
+
+{#if data.formError}
+  <div class="alert alert-error mt-4"><span>{data.formError}</span></div>
+{/if}
+
+{#if data.error}
+  <div class="alert alert-warning mt-6">Couldn't load {data.label.toLowerCase()}: {data.error}</div>
+{:else if data.entries.length === 0}
+  <p class="mt-6 opacity-60">No entries yet.</p>
+{:else}
+  <ul class="menu mt-6 rounded-box border border-base-300 bg-base-100 p-2">
+    {#each data.entries as entry (entry.path)}
+      <li>
+        <a href="/admin/edit/{data.type}/{entry.id}" class="flex items-center justify-between gap-3">
+          <span class="flex items-center gap-2">
+            <span>{entry.title}</span>
+            {#if entry.draft}<span class="badge badge-warning badge-sm">Draft</span>{/if}
+          </span>
+          {#if entry.date}<span class="text-xs opacity-60">{entry.date}</span>{/if}
+        </a>
+      </li>
+    {/each}
+  </ul>
+{/if}

package/dist/components/CollectionList.svelte.d.ts

@@ -0,0 +1,8 @@
+import type { CollectionListData } from '../sveltekit';
+type $$ComponentProps = {
+    data: CollectionListData;
+};
+declare const CollectionList: import("svelte").Component<$$ComponentProps, {}, "">;
+type CollectionList = ReturnType<typeof CollectionList>;
+export default CollectionList;
+//# sourceMappingURL=CollectionList.svelte.d.ts.map

package/dist/components/CollectionList.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CollectionList.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/CollectionList.svelte.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGtD,KAAK,gBAAgB,GAAI;IAAE,IAAI,EAAE,kBAAkB,CAAA;CAAE,CAAC;AAiFvD,QAAA,MAAM,cAAc,sDAAwC,CAAC;AAC7D,KAAK,cAAc,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC;AACxD,eAAe,cAAc,CAAC"}