@glw907/cairn-cms 0.40.0 → 0.41.0

package/src/lib/doctor/wrangler-config.ts

@@ -0,0 +1,142 @@
+// A tolerant reader for the few wrangler-config facts the local checks need. It reads
+// wrangler.jsonc or wrangler.toml through the injected readFile (jsonc wins when both exist)
+// and returns null when neither file is present, which the checks report as a skip.
+import type { DoctorContext } from './types.js';
+
+export interface WranglerFacts {
+	/** A send_email binding named EMAIL is declared. */
+	hasEmailBinding: boolean;
+	/** A d1_databases binding named AUTH_DB is declared. */
+	hasAuthDb: boolean;
+	/** The AUTH_DB database_id, when declared; the D1 check queries it. */
+	authDbId?: string;
+	/** observability.enabled is true. */
+	observabilityEnabled: boolean;
+}
+
+export async function readWranglerConfig(
+	readFile: DoctorContext['readFile']
+): Promise<WranglerFacts | null> {
+	const jsonc = await readFile('wrangler.jsonc');
+	if (jsonc !== null) return factsFromJsonc(jsonc);
+	const toml = await readFile('wrangler.toml');
+	if (toml !== null) return factsFromToml(toml);
+	return null;
+}
+
+// Strip // and /* */ comments outside string literals, character by character, so a URL
+// inside a string survives. Trailing commas go by regex afterward; a string containing
+// ",}" would be mangled, an accepted gap in a tolerant reader.
+function stripJsonc(text: string): string {
+	let out = '';
+	let inString = false;
+	let i = 0;
+	while (i < text.length) {
+		const ch = text[i];
+		if (inString) {
+			out += ch;
+			if (ch === '\\') {
+				out += text[i + 1] ?? '';
+				i += 2;
+				continue;
+			}
+			if (ch === '"') inString = false;
+			i += 1;
+			continue;
+		}
+		if (ch === '"') {
+			inString = true;
+			out += ch;
+			i += 1;
+			continue;
+		}
+		if (ch === '/' && text[i + 1] === '/') {
+			const end = text.indexOf('\n', i);
+			i = end === -1 ? text.length : end;
+			continue;
+		}
+		if (ch === '/' && text[i + 1] === '*') {
+			const end = text.indexOf('*/', i + 2);
+			i = end === -1 ? text.length : end + 2;
+			continue;
+		}
+		out += ch;
+		i += 1;
+	}
+	return out.replace(/,(\s*[}\]])/g, '$1');
+}
+
+function factsFromJsonc(text: string): WranglerFacts {
+	let config: Record<string, unknown>;
+	try {
+		config = JSON.parse(stripJsonc(text)) as Record<string, unknown>;
+	} catch {
+		// V8's SyntaxError embeds a source snippet, which would land verbatim in the report;
+		// a file that exists but does not parse is a fail with a clean message instead.
+		throw new Error('wrangler.jsonc did not parse');
+	}
+	const sendEmail = Array.isArray(config.send_email) ? config.send_email : [];
+	const hasEmailBinding = sendEmail.some(
+		(entry) => typeof entry === 'object' && entry !== null && (entry as { name?: unknown }).name === 'EMAIL'
+	);
+	const databases = Array.isArray(config.d1_databases) ? config.d1_databases : [];
+	const authDb = databases.find(
+		(entry): entry is { binding: string; database_id?: unknown } =>
+			typeof entry === 'object' && entry !== null && (entry as { binding?: unknown }).binding === 'AUTH_DB'
+	);
+	const observability = config.observability as { enabled?: unknown } | undefined;
+	const facts: WranglerFacts = {
+		hasEmailBinding,
+		hasAuthDb: authDb !== undefined,
+		observabilityEnabled: observability?.enabled === true,
+	};
+	if (typeof authDb?.database_id === 'string') facts.authDbId = authDb.database_id;
+	return facts;
+}
+
+// The toml read is deliberately shallow: line-anchored matching for the three facts, not a
+// TOML parser. The remediation tells the operator exactly what to add, so full fidelity
+// buys nothing here. A table header opens a section; the relevant key lines are matched
+// within it and the d1 table flushes on the next header.
+function factsFromToml(text: string): WranglerFacts {
+	const facts: WranglerFacts = {
+		hasEmailBinding: false,
+		hasAuthDb: false,
+		observabilityEnabled: false,
+	};
+	let section = '';
+	let d1Binding: string | undefined;
+	let d1Id: string | undefined;
+
+	const flushD1 = () => {
+		if (d1Binding === 'AUTH_DB') {
+			facts.hasAuthDb = true;
+			if (d1Id !== undefined) facts.authDbId = d1Id;
+		}
+		d1Binding = undefined;
+		d1Id = undefined;
+	};
+
+	for (const line of text.split('\n')) {
+		const header = line.match(/^\s*(\[\[?[\w.]+\]?\])\s*(?:#.*)?$/);
+		if (header) {
+			flushD1();
+			section = header[1];
+			continue;
+		}
+		const kv = line.match(/^\s*(\w+)\s*=\s*(.+?)\s*$/);
+		if (!kv) continue;
+		const [, key, value] = kv;
+		const str = value.match(/^["'](.*)["']/)?.[1];
+		if (section === '[[send_email]]' && key === 'name' && str === 'EMAIL') {
+			facts.hasEmailBinding = true;
+		} else if (section === '[[d1_databases]]') {
+			if (key === 'binding') d1Binding = str;
+			if (key === 'database_id') d1Id = str;
+		} else if (section === '[observability]' && key === 'enabled' && value.startsWith('true')) {
+			facts.observabilityEnabled = true;
+		}
+	}
+	flushD1();
+	return facts;
+}

package/src/lib/github/signing.ts

@@ -79,7 +79,7 @@ export async function installationToken(creds: AppCredentials): Promise<string>
 }
 
 interface CachedToken {
-  token: string;
+  token: Promise<string>;
   expiresAt: number;
 }
 
@@ -89,7 +89,9 @@ interface CachedToken {
  * instead of re-signing and re-calling GitHub on every list and commit. A cold isolate re-mints,
  * which is always safe. This mirrors the default of @octokit/auth-app, which caches installation
  * tokens in memory and returns them until expiry. The TTL stays under GitHub's documented one-hour
- * lifetime, so a fixed margin avoids parsing the API expiry. `mint` and `now` are injected so the
+ * lifetime, so a fixed margin avoids parsing the API expiry. The cache holds the in-flight
+ * promise, not the resolved token, so a cold isolate's parallel loads coalesce into one mint;
+ * a rejected mint evicts itself so the next call retries. `mint` and `now` are injected so the
  * cache is testable with no network call and no real clock.
  */
 export function createInstallationTokenCache(
@@ -98,12 +100,17 @@ export function createInstallationTokenCache(
   ttlMs = 55 * 60 * 1000,
 ): (creds: AppCredentials) => Promise<string> {
   const cache = new Map<string, CachedToken>();
-  return async function get(creds: AppCredentials): Promise<string> {
+  return function get(creds: AppCredentials): Promise<string> {
     const hit = cache.get(creds.installationId);
     if (hit && hit.expiresAt > now()) return hit.token;
-    const token = await mint(creds);
-    cache.set(creds.installationId, { token, expiresAt: now() + ttlMs });
-    return token;
+    const entry: CachedToken = { token: mint(creds), expiresAt: now() + ttlMs };
+    cache.set(creds.installationId, entry);
+    // Evict only this entry on rejection: a newer entry that replaced it must survive. The
+    // caller's await surfaces the rejection itself, so this side handler swallows nothing.
+    entry.token.catch(() => {
+      if (cache.get(creds.installationId) === entry) cache.delete(creds.installationId);
+    });
+    return entry.token;
   };
 }
 

package/src/lib/log/events.ts

@@ -13,4 +13,5 @@ export type CairnLogEvent =
   | 'entry.published'
   | 'entry.discarded'
   | 'publish.failed'
+  | 'github.unreachable'
   | 'guard.rejected';

package/src/lib/sveltekit/content-routes.ts

@@ -178,8 +178,9 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
         const entry = pendingEntryOf(name);
         return entry ? [{ concept: entry.concept.id, id: entry.id }] : [];
       });
-    } catch {
+    } catch (err) {
       pendingEntries = null;
+      log.warn('github.unreachable', { scope: 'layout', error: String(err) });
     }
     return {
       siteName: runtime.siteName,
@@ -333,17 +334,21 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     const datePrefix = concept.routing.dated ? concept.datePrefix : null;
     const path = `${concept.dir}/${filenameFromId(id)}`;
     // A pending entry reads branch-first: the editor shows the unpublished edits. The manifest
-    // (link targets and the inbound-link guard) always reads main, the authoritative copy, and a
-    // pending entry adds a main read of its own path to derive its published state.
+    // (link targets and the inbound-link guard) always reads main, the authoritative copy.
+    // Stage 1 runs the branch probe, the main-path read, and the manifest read concurrently,
+    // so the probe does not serialize ahead of the other two; stage 2 adds the branch read
+    // only when the probe found a branch, with the stage-1 main read serving as the published
+    // signal either way.
     const branch = pendingBranch(concept.id, id);
-    const pending = (await branchHeadSha(runtime.backend, branch, token)) !== null;
-    const [raw, manifestRaw, mainRaw] = await Promise.all([
-      readRaw(pending ? { ...runtime.backend, branch } : runtime.backend, path, token),
+    const [headSha, mainRaw, manifestRaw] = await Promise.all([
+      branchHeadSha(runtime.backend, branch, token),
+      readRaw(runtime.backend, path, token),
       readRaw(runtime.backend, runtime.manifestPath, token),
-      pending ? readRaw(runtime.backend, path, token) : Promise.resolve(null),
     ]);
+    const pending = headSha !== null;
+    const raw = pending ? await readRaw({ ...runtime.backend, branch }, path, token) : mainRaw;
     if (raw === null && !isNew) throw error(404, 'Entry not found');
-    const published = pending ? mainRaw !== null : raw !== null;
+    const published = mainRaw !== null;
 
     const parsed = raw === null ? { frontmatter: {}, body: '' } : parseMarkdown(raw);
     const title = typeof parsed.frontmatter.title === 'string' && parsed.frontmatter.title.trim() ? parsed.frontmatter.title : id;
@@ -618,14 +623,18 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       next = upsertEntry(next, manifestEntryFromFile(entry.concept, { path: entry.path, raw: entry.raw }));
       published.push({ concept: entry.concept.id, id: entry.id, branch: entry.branch, sha: entry.sha });
     }
-    if (published.length === 0) throw redirect(303, listPage);
+    if (published.length === 0) {
+      const message = 'Nothing to publish. Every entry is already live.';
+      throw redirect(303, `${listPage}?error=${encodeURIComponent(message)}`);
+    }
     changes.push({ path: runtime.manifestPath, content: serializeManifest(next) });
 
+    const noun = published.length === 1 ? 'entry' : 'entries';
     try {
       await commitFiles(
         runtime.backend,
         changes,
-        { message: `Publish ${published.length} entries`, author: { name: editor.displayName, email: editor.email } },
+        { message: `Publish ${published.length} ${noun}`, author: { name: editor.displayName, email: editor.email } },
         token,
       );
       for (const entry of published) {