@glw907/cairn-cms 0.40.0 → 0.50.0

package/CHANGELOG.md

@@ -2,6 +2,82 @@
 
 All notable changes to this project are recorded here, most recent first.
 
+## 0.50.0
+
+The admin now mounts as one catch-all route. A new `createCairnAdmin(runtime, deps)` facade
+serves every admin view through a single `load` and a single `actions` record, the new
+`CairnAdmin` component switches the views on the discriminated `AdminData`, and `parseAdminPath`
+is the one path authority behind both. A site's whole `/admin` surface is now three files (the
+`$lib/cairn.server.ts` composer plus the `/admin/[...path]` route pair) instead of a per-route
+tree of shims whose action names coupled to engine components by bare string. The admin URLs are
+unchanged. The per-surface factories (`createContentRoutes` and friends) stay public as the
+advanced seam.
+
+Consumers must: delete the admin route tree and replace it with the two-file mount plus the
+composer; the exact files are in
+[the canonical admin mount](docs/reference/admin-routes.md) and the migration is the `0.50.0`
+section of [the upgrade guide](docs/guides/upgrade-cairn.md). The engine's auth and shell forms
+now post named actions (`?/request`, `?/confirm`, `?/logout`, `?/publishAll`), so a site that
+mounts `LoginPage`, `ConfirmPage`, or `AdminLayout` directly must register those names, and the
+`/admin/auth/logout` server route leaves the contract.
+
+Consumers must: rename `createSiteIndex` to `createSiteResolver` and `SiteIndex` to
+`SiteResolver` where imported from `/delivery/data`; the `paginate` helper is deleted.
+
+Consumers must: read `form.error` where they read `form.renameError`. Every action failure now
+carries `error: string` as its one-line summary; the structured extras (`brokenLinks`,
+`inboundLinks`) keep their keys beside it.
+
+Consumers must: replace the hand-written `App.Locals` block in `src/app.d.ts` with
+`import '@glw907/cairn-cms/ambient';`, the new type-only subpath that ships the
+`App.Locals.editor` augmentation.
+
+The diagnostics registry reaches its remaining runtime sites. A missing `AUTH_DB` on a gated
+admin request renders a branded condition page instead of a silent login redirect, and a missing
+email binding, missing GitHub App credentials, and an invalid site config now carry their
+registered condition ids through the error chain and the logs.
+`deps.mintToken` widens to accept a plain string return. The concept list reads published rows
+from the committed manifest in one call, falling back to the per-file crawl only on a repo with
+no manifest yet. Internal layering rides along (one home each for the link rewriter, the escape
+helpers, and the conflict check) with no consumer surface change.
+
+This release publishes together with `0.41.0`, so a site crossing from `0.40.0` takes both
+windows in one upgrade.
+
+## 0.41.0
+
+`cairn-doctor` ships as a second bin: a setup preflight that runs nine checks over the local config
+files (the wrangler bindings, observability, the CSRF handoff, the site config), the Cloudflare
+account (the onboarded sending domain, Always Use HTTPS, HSTS, the D1 auth store with its schema
+and an owner row), and the GitHub App's full reachability chain. Every check reports into one
+plain-text report, a failure prints its condition's why and remediation from the diagnostics
+registry, and the exit code is 1 on any failure, so the command slots into a deploy script as a
+gate. A missing credential makes the affected checks skip rather than fail, and
+`--send-test <address>` opts into one real email through the Email Sending API. The new
+[Cloudflare readiness guide](docs/guides/cloudflare-readiness.md) walks the same conditions
+manually, a `check:readiness` gate pins that guide to the condition registry, and
+[the doctor reference](docs/reference/doctor.md) covers the flags, the checks, and the CI wiring.
+
+The admin layout's GitHub degrade gains a signal. When the pending-entries read fails, the layout
+logs a warn-level `github.unreachable` record and the topbar's Publish site button hides instead
+of showing a count it cannot know.
+
+Consumers may: run `npx cairn-doctor --from <address> --repo <owner/name>` as a pre-launch gate,
+work through the readiness guide when standing up a fresh account, and filter Workers Logs on
+`github.unreachable` when the publish button goes missing.
+
+A debt batch rides along. The editor's link autocomplete no longer
+pulls CodeMirror into the server bundle, the edit page's load reads its GitHub probes in parallel,
+concurrent cold-start token mints coalesce into one, publish-all pluralizes its commit message and
+an empty publish-all explains itself instead of redirecting silently, the unsaved-changes warning
+tracks client-side navigation and no longer double-fires on a full page unload, the toolbar's
+keyboard tab stop holds across Preview round trips, the word count ignores markdown and directive
+syntax, and the list's publish flash announces reliably to screen readers.
+
+Consumers must: be on `@sveltejs/kit` 2.12 or later before taking this release. The edit page now
+reads `$app/state`, which shipped in kit 2.12.0, and the peer range says so (`^2.12`); a site on
+an older kit must upgrade kit first.
+
 ## 0.40.0
 
 The edit page is redesigned around the manuscript. A sticky translucent header carries the

package/README.md

@@ -45,7 +45,7 @@ doesn't, cairn is the wrong tool and will not try to meet you halfway.
    tutorial, takes you from an empty directory to a deployed site with a working `/admin`.
 2. **[`examples/showcase`](./examples/showcase)** is a complete consumer site wired to the
    engine, and the worked reference for every shape in the docs. When a guide says "mount the
-   route shims," the showcase shows the mounted result.
+   admin," the showcase shows the mounted result.
 3. **[The docs](./docs/README.md)** are organized in four arms: the tutorial, task guides,
    one reference page per export, and explanation pages for the architecture and design
    rules.
@@ -65,8 +65,8 @@ formal contribution process yet, so this is not an open call for pull requests.
 npm install @glw907/cairn-cms
 ```
 
-Peer dependencies: `svelte@^5` and `@sveltejs/kit@^2`. A consumer site implements a
-`CairnAdapter` and mounts thin `/admin` route shims around the package subpaths:
+Peer dependencies: `svelte@^5` and `@sveltejs/kit@^2.12`. A consumer site implements a
+`CairnAdapter` and mounts the whole `/admin` with one catch-all route over the package subpaths:
 
 - `@glw907/cairn-cms`: the core engine and adapter contract.
 - `@glw907/cairn-cms/sveltekit`: the server load and action logic.

package/dist/ambient.d.ts

@@ -0,0 +1,9 @@
+import type { Editor } from './auth/types.js';
+declare global {
+    namespace App {
+        interface Locals {
+            editor?: Editor | null;
+        }
+    }
+}
+export {};

package/dist/ambient.js

@@ -0,0 +1 @@
+export {};

package/dist/components/AdminLayout.svelte

@@ -279,7 +279,7 @@ identical on every host regardless of the site's own theme.
             <kbd class="ml-auto hidden rounded border border-[var(--cairn-card-border)] px-1.5 text-[0.6875rem] font-medium sm:inline">&#8984;K</kbd>
           </button>
         </div>
-        {#if pendingCount > 0 && data.concepts.length > 0}
+        {#if pendingCount > 0}
           <div class="flex-none">
             <button type="button" class="btn btn-primary btn-sm" aria-haspopup="dialog" onclick={() => publishAllDialog?.showModal()}>
               Publish site ({pendingCount})
@@ -349,9 +349,7 @@ identical on every host regardless of the site's own theme.
         <form method="dialog" class="modal-backdrop"><button tabindex="-1" aria-label="Close">close</button></form>
       </dialog>
 
-      <!-- The form action below reads data.concepts[0], so zero configured concepts (with a stray
-           pending ref) must hide the dialog along with its trigger. -->
-      {#if pendingCount > 0 && data.concepts.length > 0}
+      {#if pendingCount > 0}
         <dialog bind:this={publishAllDialog} class="modal" aria-labelledby="cairn-publish-all-title">
           <div class="modal-box">
             <div class="mb-3 flex items-center justify-between">
@@ -367,9 +365,9 @@ identical on every host regardless of the site's own theme.
                 {/each}
               </ul>
             {/each}
-            <!-- The publishAll action is mounted on every concept-list shim; the first concept's
-                 route hosts the site-wide POST so the topbar works from any admin page. -->
-            <form method="POST" action={`/admin/${data.concepts[0].id}?/publishAll`} class="mt-4 flex justify-end gap-2">
+            <!-- The publishAll named action is valid on every authed admin view, so the confirm
+                 posts to the current page and the topbar works from anywhere. -->
+            <form method="POST" action="?/publishAll" class="mt-4 flex justify-end gap-2">
               <CsrfField token={data.csrf} />
               <button type="button" class="btn btn-sm" onclick={() => publishAllDialog?.close()}>Cancel</button>
               <button type="submit" class="btn btn-sm btn-primary">Publish site</button>
@@ -455,7 +453,7 @@ identical on every host regardless of the site's own theme.
               <div class="text-xs capitalize text-[var(--color-subtle)]">{data.user.role}</div>
             </div>
           </div>
-          <form method="POST" action="/admin/auth/logout" class="mt-4">
+          <form method="POST" action="?/logout" class="mt-4">
             <CsrfField token={data.csrf} />
             <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">
               <LogOutIcon class="h-4 w-4" /> Sign out

package/dist/components/CairnAdmin.svelte

@@ -0,0 +1,67 @@
+<!--
+@component
+The single-mount admin page. A site's catch-all `/admin/[...path]` route renders this one
+component for every admin view, feeding it the discriminated `AdminData` from `createCairnAdmin`'s
+load. It is a pure switcher on `data.view`: the public auth pages mount bare, and the authed views
+mount inside `AdminLayout`. No styling or wrapper elements of its own.
+-->
+<script lang="ts">
+  import AdminLayout from './AdminLayout.svelte';
+  import LoginPage from './LoginPage.svelte';
+  import ConfirmPage from './ConfirmPage.svelte';
+  import ConceptList from './ConceptList.svelte';
+  import EditPage from './EditPage.svelte';
+  import ManageEditors from './ManageEditors.svelte';
+  import NavTree from './NavTree.svelte';
+  import type { AdminData } from '../sveltekit/cairn-admin.js';
+  import type { ContentFormFailure } from '../sveltekit/content-routes.js';
+  import type { ComponentRegistry } from '../render/registry.js';
+  import type { IconSet } from '../render/glyph.js';
+  import type { LinkResolve } from '../content/links.js';
+
+  interface Props {
+    /** The discriminated view data from `createCairnAdmin`'s load. */
+    data: AdminData;
+    /** The last action's result, forwarded to whichever view rendered: the shared content-action
+     *  failure family (every failure carries `error`), merged with the auth and editors results,
+     *  so the route's one `form` export covers every view. */
+    form?:
+      | (ContentFormFailure & {
+          sent?: boolean;
+          status?: 'sent' | 'send_error' | 'throttled';
+          ok?: boolean;
+        })
+      | null;
+    /** The site's design-accurate render pipeline, for the edit view's preview pane. */
+    render?: (md: string, opts?: { stagger?: boolean; resolve?: LinkResolve }) => string | Promise<string>;
+    /** The site's component registry, for the edit view's insert palette. */
+    registry?: ComponentRegistry;
+    /** The site's icon set, for the edit view's guided form fields. */
+    icons?: IconSet;
+  }
+
+  let { data, form = null, render, registry, icons }: Props = $props();
+</script>
+
+{#if data.view === 'login'}
+  <LoginPage data={data.page} {form} />
+{:else if data.view === 'confirm'}
+  <ConfirmPage data={data.page} />
+{:else}
+  <AdminLayout data={data.layout}>
+    {#if data.view === 'list'}
+      <!-- The single mount reuses this component across /admin/posts -> /admin/pages, so the
+           concept id keys the list: crossing concepts remounts it and drops the old query,
+           sort, page, and dialog state. -->
+      {#key data.page.conceptId}
+        <ConceptList data={data.page} {form} />
+      {/key}
+    {:else if data.view === 'edit'}
+      <EditPage data={{ ...data.page, siteName: data.layout.siteName }} {render} {registry} {icons} {form} />
+    {:else if data.view === 'editors'}
+      <ManageEditors data={data.page} {form} />
+    {:else if data.view === 'nav'}
+      <NavTree data={data.page} />
+    {/if}
+  </AdminLayout>
+{/if}

package/dist/components/CairnAdmin.svelte.d.ts

@@ -0,0 +1,35 @@
+import type { AdminData } from '../sveltekit/cairn-admin.js';
+import type { ContentFormFailure } from '../sveltekit/content-routes.js';
+import type { ComponentRegistry } from '../render/registry.js';
+import type { IconSet } from '../render/glyph.js';
+import type { LinkResolve } from '../content/links.js';
+interface Props {
+    /** The discriminated view data from `createCairnAdmin`'s load. */
+    data: AdminData;
+    /** The last action's result, forwarded to whichever view rendered: the shared content-action
+     *  failure family (every failure carries `error`), merged with the auth and editors results,
+     *  so the route's one `form` export covers every view. */
+    form?: (ContentFormFailure & {
+        sent?: boolean;
+        status?: 'sent' | 'send_error' | 'throttled';
+        ok?: boolean;
+    }) | null;
+    /** The site's design-accurate render pipeline, for the edit view's preview pane. */
+    render?: (md: string, opts?: {
+        stagger?: boolean;
+        resolve?: LinkResolve;
+    }) => string | Promise<string>;
+    /** The site's component registry, for the edit view's insert palette. */
+    registry?: ComponentRegistry;
+    /** The site's icon set, for the edit view's guided form fields. */
+    icons?: IconSet;
+}
+/**
+ * The single-mount admin page. A site's catch-all `/admin/[...path]` route renders this one
+ * component for every admin view, feeding it the discriminated `AdminData` from `createCairnAdmin`'s
+ * load. It is a pure switcher on `data.view`: the public auth pages mount bare, and the authed views
+ * mount inside `AdminLayout`. No styling or wrapper elements of its own.
+ */
+declare const CairnAdmin: import("svelte").Component<Props, {}, "">;
+type CairnAdmin = ReturnType<typeof CairnAdmin>;
+export default CairnAdmin;

package/dist/components/ConceptList.svelte

@@ -7,8 +7,7 @@ content sizes. The header New button opens a dialog holding the create form.
 -->
 <script lang="ts">
   import { slugify } from '../content/ids.js';
-  import type { EntrySummary, ListData } from '../sveltekit/content-routes.js';
-  import type { InboundLink } from '../content/manifest.js';
+  import type { DeleteRefusal, EntrySummary, ListData } from '../sveltekit/content-routes.js';
   import CsrfField from './CsrfField.svelte';
   import DeleteDialog from './DeleteDialog.svelte';
   import CairnLogo from './CairnLogo.svelte';
@@ -17,10 +16,10 @@ content sizes. The header New button opens a dialog holding the create form.
   interface Props {
     /** The list load's data: the concept, its entries, and any inline or form errors. */
     data: ListData;
-    /** The `?/delete` action result. A blocked delete returns the refused entry id and the inbound
-     *  links that link to it (the flat `fail(409, { inboundLinks, id })` shape), so the list names
+    /** The `?/delete` action result. A blocked delete returns the `DeleteRefusal` payload (the
+     *  shared `error` summary, the refused entry id, and its inbound linkers), so the list names
      *  the blockers and refuses (block-until-clean). */
-    form?: { id?: string; inboundLinks?: InboundLink[] } | null;
+    form?: Partial<DeleteRefusal> | null;
   }
 
   let { data, form = null }: Props = $props();
@@ -107,6 +106,14 @@ content sizes. The header New button opens a dialog holding the create form.
   // flex layout and a hover affordance on top of this.
   const headerLabel = 'text-[0.6875rem] font-semibold uppercase tracking-[0.08em] text-[var(--color-muted)]';
   const sortButton = `inline-flex items-center gap-1 ${headerLabel} hover:text-base-content`;
+
+  // The publish-all flash. A racing second admin can publish first, leaving this redirect
+  // counting zero; say nothing then.
+  const publishedAllMessage = $derived(
+    data.publishedAll !== null && data.publishedAll > 0
+      ? `Published ${data.publishedAll} ${data.publishedAll === 1 ? 'entry' : 'entries'}.`
+      : '',
+  );
 </script>
 
 <header class="mb-6 flex flex-col gap-3 sm:flex-row sm:flex-wrap sm:items-center sm:justify-between">
@@ -122,11 +129,12 @@ content sizes. The header New button opens a dialog holding the create form.
   </div>
 </header>
 
-<!-- A racing second admin can publish first, leaving this redirect counting zero; say nothing then. -->
-{#if data.publishedAll !== null && data.publishedAll > 0}
-  <div role="status" class="alert alert-success mb-4 text-sm">
-    Published {data.publishedAll} {data.publishedAll === 1 ? 'entry' : 'entries'}.
-  </div>
+<!-- One persistent live region announces the publish-all flash (the EditPage pattern): a
+     {#if}-gated role element inserted fresh is announced inconsistently, so the visible alert
+     below keeps its styling without a role and the message is announced once. -->
+<div class="sr-only" aria-live="polite">{publishedAllMessage}</div>
+{#if publishedAllMessage}
+  <div class="alert alert-success mb-4 text-sm">{publishedAllMessage}</div>
 {/if}
 {#if data.formError}
   <div role="alert" class="alert alert-error mb-4 text-sm">{data.formError}</div>

package/dist/components/ConceptList.svelte.d.ts

@@ -1,15 +1,11 @@
-import type { ListData } from '../sveltekit/content-routes.js';
-import type { InboundLink } from '../content/manifest.js';
+import type { DeleteRefusal, ListData } from '../sveltekit/content-routes.js';
 interface Props {
     /** The list load's data: the concept, its entries, and any inline or form errors. */
     data: ListData;
-    /** The `?/delete` action result. A blocked delete returns the refused entry id and the inbound
-     *  links that link to it (the flat `fail(409, { inboundLinks, id })` shape), so the list names
+    /** The `?/delete` action result. A blocked delete returns the `DeleteRefusal` payload (the
+     *  shared `error` summary, the refused entry id, and its inbound linkers), so the list names
      *  the blockers and refuses (block-until-clean). */
-    form?: {
-        id?: string;
-        inboundLinks?: InboundLink[];
-    } | null;
+    form?: Partial<DeleteRefusal> | null;
 }
 /**
  * One concept's list view as a DaisyUI data-table: a search filter, a result count, sortable Title and

package/dist/components/ConfirmPage.svelte

@@ -40,7 +40,7 @@ in a hidden field and consumes nothing; only the explicit POST verifies (spec §
     {:else}
       <h1 class="text-lg font-semibold">Almost there</h1>
       <p class="mt-1 mb-5 text-sm text-[var(--color-muted)]">Confirm to finish signing in to {data.siteName}.</p>
-      <form method="POST">
+      <form method="POST" action="?/confirm">
         <input type="hidden" name="token" value={data.token} />
         <CsrfField token={data.csrf} />
         <button type="submit" class="btn btn-primary btn-block">Confirm sign-in</button>

package/dist/components/EditPage.svelte

@@ -14,6 +14,7 @@ transient flashes, and the editor card's footer holds the word count and the Mar
 <script lang="ts">
   import { untrack } from 'svelte';
   import { beforeNavigate } from '$app/navigation';
+  import { page } from '$app/state';
   import CsrfField from './CsrfField.svelte';
   import MarkdownEditor from './MarkdownEditor.svelte';
   import EditorToolbar from './EditorToolbar.svelte';
@@ -25,10 +26,10 @@ transient flashes, and the editor card's footer holds the word count and the Mar
   import MarkdownHelpDialog from './MarkdownHelpDialog.svelte';
   import { cairnLinkCompletionSource } from './link-completion.js';
   import { unwrapCairnLink, type FormatKind } from './markdown-format.js';
-  import { directiveLineKind } from './markdown-directives.js';
+  import { directiveLineKind, findInlineDirectives } from './markdown-directives.js';
   import type { ComponentRegistry } from '../render/registry.js';
   import type { IconSet } from '../render/glyph.js';
-  import type { EditData } from '../sveltekit/content-routes.js';
+  import type { ContentFormFailure, EditData } from '../sveltekit/content-routes.js';
   import type { TextareaField, TagsField, FreeTagsField } from '../content/types.js';
   import type { LinkResolve } from '../content/links.js';
   import { manifestLinkResolver } from '../content/manifest.js';
@@ -42,9 +43,9 @@ transient flashes, and the editor card's footer holds the word count and the Mar
     render?: (md: string, opts?: { stagger?: boolean; resolve?: LinkResolve }) => string | Promise<string>;
     /** The site's icon set, for the guided form's icon fields. */
     icons?: IconSet;
-    /** The `?/save` or `?/delete` action result. Carries the save guard's broken links when a save was
-     *  blocked, or the delete guard's inbound linkers when a delete was refused. */
-    form?: { brokenLinks?: string[]; body?: string; inboundLinks?: import('../content/manifest.js').InboundLink[]; renameError?: string } | null;
+    /** The last content action's failure: the save guard's broken links, the delete guard's
+     *  inbound linkers, or a rename refusal, each carrying the shared `error` summary. */
+    form?: ContentFormFailure | null;
   }
 
   let { data, registry, render, icons, form }: Props = $props();
@@ -101,6 +102,14 @@ transient flashes, and the editor card's footer holds the word count and the Mar
   // navigation passes through because busy flips before it starts, and a non-edit POST's because
   // leaving does.
   beforeNavigate((navigation) => {
+    // A full-page unload (refresh, tab close, external link): per SvelteKit semantics, cancel()
+    // on a leave navigation is what asks the browser for its native dialog, so no confirm()
+    // here or two prompts would stack. The beforeunload listener below is deliberate
+    // belt-and-braces, not the dialog's source.
+    if (navigation.willUnload) {
+      if (dirty && !busy && !leaving) navigation.cancel();
+      return;
+    }
     if (dirty && !busy && !leaving && !confirm('You have unsaved changes. Leave anyway?'))
       navigation.cancel();
   });
@@ -211,8 +220,12 @@ transient flashes, and the editor card's footer holds the word count and the Mar
   // not refused. When set, a delete was blocked by a link that appeared since the page loaded.
   const deleteRefusedLinks = $derived(form?.inboundLinks ?? []);
 
-  // A rename that hit a collision or an invalid slug returns form.renameError.
-  const renameError = $derived(form?.renameError ?? '');
+  // The shared failure summary, rendered only when no richer banner claims the failure: the save
+  // and delete guards get their own banners from brokenLinks and inboundLinks below, so this
+  // surfaces the rest (a rename refusal, today).
+  const formError = $derived(
+    form?.error && !form.brokenLinks?.length && !form.inboundLinks?.length ? form.error : '',
+  );
 
   // The entry this surface is editing. SvelteKit reuses the page component across a same-route
   // navigation (the delete-refused and broken-link banners link entry to entry), so the per-entry
@@ -240,14 +253,12 @@ transient flashes, and the editor card's footer holds the word count and the Mar
     });
   });
 
-  // After a save that links to a draft target, the redirect carries ?drafts=<tokens>. Re-read on
-  // an entry change too, since a client-side navigation swaps the search string under this effect.
-  let draftWarning = $state('');
-  $effect(() => {
-    void entryKey;
-    const search = typeof location === 'undefined' ? '' : location.search;
-    const drafts = new URLSearchParams(search).get('drafts');
-    draftWarning = drafts ? drafts.split(',').filter(Boolean).join(', ') : '';
+  // After a save that links to a draft target, the redirect carries ?drafts=<tokens>. page.url
+  // is reactive kit state, so a client-side navigation that swaps the search string re-derives
+  // this, and the read is SSR-safe.
+  const draftWarning = $derived.by(() => {
+    const drafts = page.url.searchParams.get('drafts');
+    return drafts ? drafts.split(',').filter(Boolean).join(', ') : '';
   });
 
   // The one transient feedback strip under the sticky header. The redirect flags are mutually
@@ -272,7 +283,7 @@ transient flashes, and the editor card's footer holds the word count and the Mar
   );
   const assertiveMessage = $derived.by(() => {
     if (data.error) return data.error;
-    if (renameError) return renameError;
+    if (formError) return formError;
     if (deleteRefusedLinks.length) {
       const count = deleteRefusedLinks.length;
       return `This ${data.label.toLowerCase()} could not be deleted. ${count} ${count === 1 ? 'page links' : 'pages link'} to it.`;
@@ -284,12 +295,29 @@ transient flashes, and the editor card's footer holds the word count and the Mar
     return '';
   });
 
+  // One line of body text reduced to its prose: inline directives drop wholesale, then the
+  // markdown marker characters become spaces. Spacing rather than deleting keeps "[text](url)"
+  // as two words instead of mashing the link text into its destination, so a link counts its
+  // text plus its URL and the count never undercounts prose.
+  function proseOnly(line: string): string {
+    let out = '';
+    let cursor = 0;
+    for (const { from, to } of findInlineDirectives(line)) {
+      out += line.slice(cursor, from);
+      cursor = to;
+    }
+    out += line.slice(cursor);
+    return out.replace(/[*_~`[\]()#]/g, ' ');
+  }
+
   // The editor footer's word count, over the local body so it tracks every keystroke. Directive
-  // machinery lines and table rows are dropped first, so the count reads as the author's prose.
+  // machinery lines and table rows are dropped first and the inline syntax stripped, so the
+  // count reads as the author's prose.
   const countedBody = $derived(
     body
       .split('\n')
       .filter((line) => directiveLineKind(line) === null && !/^\s*\|/.test(line))
+      .map(proseOnly)
       .join('\n'),
   );
   const wordCount = $derived(countedBody.trim() ? countedBody.trim().split(/\s+/).length : 0);
@@ -505,8 +533,8 @@ transient flashes, and the editor card's footer holds the word count and the Mar
 {#if data.error}
   <div class="alert alert-error mb-4 text-sm">{data.error}</div>
 {/if}
-{#if renameError}
-  <div class="alert alert-error mb-4 text-sm">{renameError}</div>
+{#if formError}
+  <div class="alert alert-error mb-4 text-sm">{formError}</div>
 {/if}
 {#if deleteRefusedLinks.length}
   <div class="alert alert-error mb-4 flex-col items-start text-sm">

package/dist/components/EditPage.svelte.d.ts

@@ -1,6 +1,6 @@
 import type { ComponentRegistry } from '../render/registry.js';
 import type { IconSet } from '../render/glyph.js';
-import type { EditData } from '../sveltekit/content-routes.js';
+import type { ContentFormFailure, EditData } from '../sveltekit/content-routes.js';
 import type { LinkResolve } from '../content/links.js';
 interface Props {
     /** The edit load's data, plus the site name for the heading. */
@@ -16,14 +16,9 @@ interface Props {
     }) => string | Promise<string>;
     /** The site's icon set, for the guided form's icon fields. */
     icons?: IconSet;
-    /** The `?/save` or `?/delete` action result. Carries the save guard's broken links when a save was
-     *  blocked, or the delete guard's inbound linkers when a delete was refused. */
-    form?: {
-        brokenLinks?: string[];
-        body?: string;
-        inboundLinks?: import('../content/manifest.js').InboundLink[];
-        renameError?: string;
-    } | null;
+    /** The last content action's failure: the save guard's broken links, the delete guard's
+     *  inbound linkers, or a rename refusal, each carrying the shared `error` summary. */
+    form?: ContentFormFailure | null;
 }
 /**
  * The differentiated editor: the per-concept frontmatter form (from `data.fields`) beside the

package/dist/components/EditorToolbar.svelte

@@ -113,6 +113,10 @@ are stroke SVG icons in the admin's house style (24x24 viewBox, `currentColor`,
     const items = rovingControls();
     if (items.length === 0) return;
     const stop = Math.min(roving, items.length - 1);
+    // Write the clamp back so the stored stop never drifts from the displayed one across a
+    // Preview round trip. The effect reads roving, so the guarded write re-runs it once and
+    // converges (the second pass computes the same stop and writes nothing).
+    if (stop !== roving) roving = stop;
     for (const [i, el] of items.entries()) el.setAttribute('tabindex', i === stop ? '0' : '-1');
   });
 

package/dist/components/LoginPage.svelte

@@ -1,6 +1,6 @@
 <!--
 @component
-The magic-link sign-in page. A plain form POST to the page's default action (the engine's
+The magic-link sign-in page. A plain form POST to the named `?/request` action (the engine's
 `requestAction`); no client SDK. The success message is identical whether or not the email is on
 the allowlist, so the page never leaks membership (spec §7.1).
 -->
@@ -101,7 +101,7 @@ the allowlist, so the page never leaks membership (spec §7.1).
       {#if data.error && !form?.status}
         <div role="alert" class="alert alert-error mb-3 text-sm">That link expired. Request a new one below.</div>
       {/if}
-      <form method="POST" class="flex flex-col gap-3">
+      <form method="POST" action="?/request" class="flex flex-col gap-3">
         <CsrfField token={data.csrf} />
         <label class="flex flex-col gap-1">
           <span class="text-sm font-medium">Email</span>

package/dist/components/LoginPage.svelte.d.ts

@@ -14,7 +14,7 @@ interface Props {
     } | null;
 }
 /**
- * The magic-link sign-in page. A plain form POST to the page's default action (the engine's
+ * The magic-link sign-in page. A plain form POST to the named `?/request` action (the engine's
  * `requestAction`); no client SDK. The success message is identical whether or not the email is on
  * the allowlist, so the page never leaks membership (spec §7.1).
  */

package/dist/components/ManageEditors.svelte

@@ -3,7 +3,8 @@
 The owner-gated editor management surface: a table of editors with role-flip and remove actions,
 and an add-editor form. The acting owner's own row disables its destructive controls; the
 last-owner anti-lockout rule itself is enforced server-side (editors-routes). Actions post to the
-named `?/setRole`, `?/remove`, and `?/add` actions.
+named `?/setRole`, `?/removeEditor`, and `?/addEditor` actions, the names the single-mount
+dispatcher defines.
 -->
 <script lang="ts">
   import CsrfField from './CsrfField.svelte';
@@ -53,7 +54,7 @@ named `?/setRole`, `?/remove`, and `?/add` actions.
                 {editor.role === 'owner' ? 'Make editor' : 'Make owner'}
               </button>
             </form>
-            <form method="POST" action="?/remove">
+            <form method="POST" action="?/removeEditor">
               <CsrfField />
               <input type="hidden" name="email" value={editor.email} />
               <button type="submit" class="btn btn-ghost btn-xs text-error" disabled={isSelf} aria-label={`Remove ${editor.displayName}`}>
@@ -67,7 +68,7 @@ named `?/setRole`, `?/remove`, and `?/add` actions.
   </table>
 </div>
 
-<form method="POST" action="?/add" class="rounded-box border border-[var(--cairn-card-border)] bg-base-100 grid gap-3 p-4 shadow-[var(--cairn-shadow)] sm:grid-cols-[1fr_1fr_auto_auto] sm:items-end">
+<form method="POST" action="?/addEditor" class="rounded-box border border-[var(--cairn-card-border)] bg-base-100 grid gap-3 p-4 shadow-[var(--cairn-shadow)] sm:grid-cols-[1fr_1fr_auto_auto] sm:items-end">
   <CsrfField />
   <label class="flex flex-col gap-1">
     <span class="text-sm font-medium">Name</span>

package/dist/components/ManageEditors.svelte.d.ts

@@ -15,7 +15,8 @@ interface Props {
  * The owner-gated editor management surface: a table of editors with role-flip and remove actions,
  * and an add-editor form. The acting owner's own row disables its destructive controls; the
  * last-owner anti-lockout rule itself is enforced server-side (editors-routes). Actions post to the
- * named `?/setRole`, `?/remove`, and `?/add` actions.
+ * named `?/setRole`, `?/removeEditor`, and `?/addEditor` actions, the names the single-mount
+ * dispatcher defines.
  */
 declare const ManageEditors: import("svelte").Component<Props, {}, "">;
 type ManageEditors = ReturnType<typeof ManageEditors>;

package/dist/components/index.d.ts

@@ -1,3 +1,4 @@
+export { default as CairnAdmin } from './CairnAdmin.svelte';
 export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
 export { default as ConfirmPage } from './ConfirmPage.svelte';

package/dist/components/index.js

@@ -1,5 +1,6 @@
 // Admin Svelte components (Plan 05). The Warm Stone theme ships as a CSS side effect imported
 // by the components that set `data-theme="cairn-admin"`.
+export { default as CairnAdmin } from './CairnAdmin.svelte';
 export { default as AdminLayout } from './AdminLayout.svelte';
 export { default as LoginPage } from './LoginPage.svelte';
 export { default as ConfirmPage } from './ConfirmPage.svelte';