@glw907/cairn-cms 0.40.0 → 0.50.0

package/src/lib/sveltekit/content-routes.ts

@@ -4,20 +4,19 @@
 // email `send` injection in auth-routes. A shim stays one line: `export const load = routes.editLoad`.
 import { redirect, error, fail } from '@sveltejs/kit';
 import { findConcept } from '../content/concepts.js';
-import { extractCairnLinks, formatCairnToken } from '../content/links.js';
+import { extractCairnLinks, formatCairnToken, rewriteCairnLink } from '../content/links.js';
 import { frontmatterFromForm, parseMarkdown, dateInputValue, serializeMarkdown } from '../content/frontmatter.js';
 import { isValidId, slugify, filenameFromId, composeDatedId, slugFromId, renameId } from '../content/ids.js';
-import { rewriteCairnLink } from '../components/markdown-format.js';
 import { appCredentials, type GithubKeyEnv } from '../github/credentials.js';
 import { listMarkdown, readRaw, commitFiles, type FileChange } from '../github/repo.js';
 import { branchHeadSha, createBranch, deleteBranch, listBranches } from '../github/branches.js';
 import { PENDING_PREFIX, pendingBranch, parsePendingBranch } from '../content/pending.js';
 import { cachedInstallationToken } from '../github/signing.js';
 import { emptyManifest, manifestEntryFromFile, parseManifest, serializeManifest, upsertEntry, removeEntry, inboundLinks, type Manifest, type LinkTarget, type InboundLink } from '../content/manifest.js';
-import { CommitConflictError } from '../github/types.js';
+import { isConflict } from '../github/types.js';
 import { log } from '../log/index.js';
 import { issueCsrfToken } from './csrf.js';
-import type { CookieJar } from './types.js';
+import type { CookieJar, EventBase } from './types.js';
 import type { CairnRuntime, ConceptDescriptor, FrontmatterField } from '../content/types.js';
 import type { Editor, Role } from '../auth/types.js';
 
@@ -104,12 +103,8 @@ export interface EditData {
 }
 
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
-export interface ContentEvent {
-  url: URL;
+export interface ContentEvent extends EventBase<GithubKeyEnv> {
   params: Record<string, string>;
-  request: Request;
-  locals: { editor?: Editor | null };
-  platform?: { env?: GithubKeyEnv };
   /** SvelteKit's cookie jar. The layout load reads the persisted admin theme and issues the CSRF
    *  token. Optional for non-route callers. */
   cookies?: CookieJar;
@@ -117,10 +112,42 @@ export interface ContentEvent {
 
 /** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
 export interface ContentRoutesDeps {
-  /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer. */
-  mintToken?: (env: GithubKeyEnv) => Promise<string>;
+  /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer.
+   *  A bare string works too; the routes await whatever comes back. */
+  mintToken?: (env: GithubKeyEnv) => string | Promise<string>;
 }
 
+/** A blocked save or publish: `fail(400)` when the body links to a target absent from main. */
+export interface SaveFailure {
+  /** The one-line human summary every content action failure carries. */
+  error: string;
+  /** The cairn tokens that resolve to no entry, for the editor's fix-it banner. */
+  brokenLinks: string[];
+  /** The author's edited markdown, so the editor reseeds with the unsaved work. */
+  body: string;
+}
+
+/** A refused delete: `fail(409)` while other entries still link to this one. */
+export interface DeleteRefusal {
+  /** The one-line human summary every content action failure carries. */
+  error: string;
+  /** The entries whose bodies link to the refused one, for the blockers list. */
+  inboundLinks: InboundLink[];
+  /** The refused entry's id, so a list view marks the right row. */
+  id: string;
+}
+
+/** A refused rename: `fail(400)` on a bad slug, `fail(409)` on a collision or pending edits. */
+export interface RenameFailure {
+  /** The one-line human summary every content action failure carries. */
+  error: string;
+}
+
+/** What a route's single `form` export presents to a view component: whichever content action
+ *  last failed, merged with every field optional. `error` is always set on a failure; the richer
+ *  keys identify which guard refused. */
+export type ContentFormFailure = Partial<SaveFailure & DeleteRefusal & RenameFailure>;
+
 /** The signed-in editor the guard resolved, or a login redirect. Kept local to decouple event shapes. */
 function sessionOf(event: ContentEvent): Editor {
   const editor = event.locals.editor;
@@ -178,8 +205,9 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
         const entry = pendingEntryOf(name);
         return entry ? [{ concept: entry.concept.id, id: entry.id }] : [];
       });
-    } catch {
+    } catch (err) {
       pendingEntries = null;
+      log.warn('github.unreachable', { scope: 'layout', error: String(err) });
     }
     return {
       siteName: runtime.siteName,
@@ -222,9 +250,37 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     }
   }
 
-  /** List a concept's entries with their publish status. Main's files carry `edited` when a
-   *  pending ref exists, else `published`; a ref with no main file appends a `new` row read from
-   *  its branch. A listing failure degrades to an inline error, not a thrown 500. */
+  /** Read an entry's list row from its pending branch, so a pending title or draft change shows
+   *  in the list instead of reading as a lost save. summarize degrades a failed or empty read to
+   *  an id-only row, so a ghost ref still lists. */
+  function pendingRow(concept: ConceptDescriptor, id: string, status: EntrySummary['status'], token: string): Promise<EntrySummary> {
+    return summarize({ id, path: `${concept.dir}/${filenameFromId(id)}` }, token, status, {
+      ...runtime.backend,
+      branch: pendingBranch(concept.id, id),
+    });
+  }
+
+  /** The per-file crawl, kept only for a repo with no committed manifest yet: list main's files
+   *  and read each one for its row, with edited and new rows reading branch-first. */
+  async function crawlEntries(concept: ConceptDescriptor, pendingIds: Set<string>, token: string): Promise<EntrySummary[]> {
+    const files = await listMarkdown(runtime.backend, concept.dir, token);
+    const entries = await Promise.all(
+      files.map((f) => (pendingIds.has(f.id) ? pendingRow(concept, f.id, 'edited', token) : summarize(f, token, 'published'))),
+    );
+    // A ref with no main file is a never-published entry; its row reads from its branch.
+    const listed = new Set(files.map((f) => f.id));
+    const newRows = await Promise.all(
+      [...pendingIds].filter((id) => !listed.has(id)).map((id) => pendingRow(concept, id, 'new', token)),
+    );
+    return [...entries, ...newRows];
+  }
+
+  /** List a concept's entries with their publish status. Published rows project straight from
+   *  main's manifest, which publish, delete, and rename keep atomically in sync with main, so
+   *  the listing costs one manifest read plus one branch read per pending entry rather than one
+   *  read per file. A manifest row with a pending ref is `edited` and reads branch-first; a ref
+   *  with no manifest row appends a `new` row read from its branch. A listing failure degrades
+   *  to an inline error, not a thrown 500. */
   async function listLoad(event: ContentEvent): Promise<ListData> {
     sessionOf(event);
     const concept = conceptOf(runtime, event.params);
@@ -239,8 +295,8 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       return { ...base, entries: [], error: 'Could not authenticate with GitHub.' };
     }
     try {
-      const [files, refs] = await Promise.all([
-        listMarkdown(runtime.backend, concept.dir, token),
+      const [manifestRaw, refs] = await Promise.all([
+        readRaw(runtime.backend, runtime.manifestPath, token),
         listBranches(runtime.backend, `${PENDING_PREFIX}${concept.id}/`, token),
       ]);
       const pendingIds = new Set(
@@ -249,27 +305,25 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
           return entry && entry.concept.id === concept.id ? [entry.id] : [];
         }),
       );
-      // An edited row reads branch-first like a new row, so a pending title or draft change
-      // shows in the list instead of reading as a lost save.
+      // A repo with no committed manifest yet (a fresh site before its first publish) falls back
+      // to the crawl; a manifest that parses but is empty is trusted as-is.
+      if (manifestRaw === null) {
+        return { ...base, entries: await crawlEntries(concept, pendingIds, token), error: null };
+      }
+      // Newest id first, the same order the crawl's file listing produced.
+      const rows = parseManifest(manifestRaw)
+        .entries.filter((e) => e.concept === concept.id)
+        .sort((a, b) => b.id.localeCompare(a.id));
       const entries = await Promise.all(
-        files.map((f) =>
-          pendingIds.has(f.id)
-            ? summarize(f, token, 'edited', { ...runtime.backend, branch: pendingBranch(concept.id, f.id) })
-            : summarize(f, token, 'published'),
+        rows.map((e) =>
+          pendingIds.has(e.id)
+            ? pendingRow(concept, e.id, 'edited', token)
+            : { id: e.id, title: e.title, date: e.date ?? null, draft: e.draft, status: 'published' as const },
         ),
       );
-      // A ref with no main file is a never-published entry; its row reads from its branch, and
-      // summarize already degrades a failed read to an id-only row.
-      const listed = new Set(files.map((f) => f.id));
+      const listed = new Set(rows.map((e) => e.id));
       const newRows = await Promise.all(
-        [...pendingIds]
-          .filter((id) => !listed.has(id))
-          .map((id) =>
-            summarize({ id, path: `${concept.dir}/${filenameFromId(id)}` }, token, 'new', {
-              ...runtime.backend,
-              branch: pendingBranch(concept.id, id),
-            }),
-          ),
+        [...pendingIds].filter((id) => !listed.has(id)).map((id) => pendingRow(concept, id, 'new', token)),
       );
       return { ...base, entries: [...entries, ...newRows], error: null };
     } catch {
@@ -333,17 +387,21 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     const datePrefix = concept.routing.dated ? concept.datePrefix : null;
     const path = `${concept.dir}/${filenameFromId(id)}`;
     // A pending entry reads branch-first: the editor shows the unpublished edits. The manifest
-    // (link targets and the inbound-link guard) always reads main, the authoritative copy, and a
-    // pending entry adds a main read of its own path to derive its published state.
+    // (link targets and the inbound-link guard) always reads main, the authoritative copy.
+    // Stage 1 runs the branch probe, the main-path read, and the manifest read concurrently,
+    // so the probe does not serialize ahead of the other two; stage 2 adds the branch read
+    // only when the probe found a branch, with the stage-1 main read serving as the published
+    // signal either way.
     const branch = pendingBranch(concept.id, id);
-    const pending = (await branchHeadSha(runtime.backend, branch, token)) !== null;
-    const [raw, manifestRaw, mainRaw] = await Promise.all([
-      readRaw(pending ? { ...runtime.backend, branch } : runtime.backend, path, token),
+    const [headSha, mainRaw, manifestRaw] = await Promise.all([
+      branchHeadSha(runtime.backend, branch, token),
+      readRaw(runtime.backend, path, token),
       readRaw(runtime.backend, runtime.manifestPath, token),
-      pending ? readRaw(runtime.backend, path, token) : Promise.resolve(null),
     ]);
+    const pending = headSha !== null;
+    const raw = pending ? await readRaw({ ...runtime.backend, branch }, path, token) : mainRaw;
     if (raw === null && !isNew) throw error(404, 'Entry not found');
-    const published = pending ? mainRaw !== null : raw !== null;
+    const published = mainRaw !== null;
 
     const parsed = raw === null ? { frontmatter: {}, body: '' } : parseMarkdown(raw);
     const title = typeof parsed.frontmatter.title === 'string' && parsed.frontmatter.title.trim() ? parsed.frontmatter.title : id;
@@ -385,11 +443,6 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     };
   }
 
-  /** Match a commit conflict by class and by name (bundling can alias the class identity). */
-  function isConflict(err: unknown): boolean {
-    return err instanceof CommitConflictError || (err as { name?: string } | null)?.name === 'CommitConflictError';
-  }
-
   /** Log a failed commit: a conflict is the expected last-writer-wins outcome, so it warns with a
    *  reason; any other error is unexpected and logs at error with the stringified cause. Publish
    *  failures carry the same shape under their own event name. */
@@ -487,7 +540,12 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       else if (target.draft) draftLinks.push(formatCairnToken(ref));
     }
     if (absent.length) {
-      return fail(400, { brokenLinks: absent, body });
+      const noun = absent.length === 1 ? 'page' : 'pages';
+      return fail(400, {
+        error: `This page links to ${absent.length} missing ${noun}.`,
+        brokenLinks: absent,
+        body,
+      } satisfies SaveFailure);
     }
 
     // Ensure the entry's pending branch exists (cut lazily from main's head on first save), then
@@ -618,14 +676,18 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       next = upsertEntry(next, manifestEntryFromFile(entry.concept, { path: entry.path, raw: entry.raw }));
       published.push({ concept: entry.concept.id, id: entry.id, branch: entry.branch, sha: entry.sha });
     }
-    if (published.length === 0) throw redirect(303, listPage);
+    if (published.length === 0) {
+      const message = 'Nothing to publish. Every entry is already live.';
+      throw redirect(303, `${listPage}?error=${encodeURIComponent(message)}`);
+    }
     changes.push({ path: runtime.manifestPath, content: serializeManifest(next) });
 
+    const noun = published.length === 1 ? 'entry' : 'entries';
     try {
       await commitFiles(
         runtime.backend,
         changes,
-        { message: `Publish ${published.length} entries`, author: { name: editor.displayName, email: editor.email } },
+        { message: `Publish ${published.length} ${noun}`, author: { name: editor.displayName, email: editor.email } },
         token,
       );
       for (const entry of published) {
@@ -696,7 +758,11 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     const manifest = await readManifest(token);
     const inbound = inboundLinks(manifest, concept.id, id);
     if (inbound.length) {
-      return fail(409, { inboundLinks: inbound, id });
+      return fail(409, {
+        error: `Cannot delete ${id}: ${inbound.length} ${inbound.length === 1 ? 'page links' : 'pages link'} to it.`,
+        inboundLinks: inbound,
+        id,
+      } satisfies DeleteRefusal);
     }
 
     // When the entry was never published (absent from main), the branch delete is the whole
@@ -771,20 +837,20 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     // Pending edits on the branch are keyed to the old id; renaming underneath them would strand
     // them, so refuse until the editor publishes or discards.
     if ((await branchHeadSha(runtime.backend, pendingBranch(concept.id, id), token)) !== null) {
-      return fail(409, { renameError: 'This entry has unpublished edits. Publish or discard them, then rename.' });
+      return fail(409, { error: 'This entry has unpublished edits. Publish or discard them, then rename.' } satisfies RenameFailure);
     }
 
     const form = await event.request.formData();
     const newSlug = String(form.get('slug') ?? '').trim();
     if (!isValidId(newSlug)) {
-      return fail(400, { renameError: 'Enter a valid slug: lowercase letters, numbers, and hyphens.' });
+      return fail(400, { error: 'Enter a valid slug: lowercase letters, numbers, and hyphens.' } satisfies RenameFailure);
     }
     const datePrefix = concept.routing.dated ? concept.datePrefix : null;
     if (concept.routing.dated && /^\d{4}-/.test(newSlug)) {
-      return fail(400, { renameError: 'Leave the date out of the slug.' });
+      return fail(400, { error: 'Leave the date out of the slug.' } satisfies RenameFailure);
     }
     if (newSlug === slugFromId(id, datePrefix)) {
-      return fail(400, { renameError: 'That is already the slug.' });
+      return fail(400, { error: 'That is already the slug.' } satisfies RenameFailure);
     }
     const newId = renameId(id, newSlug, datePrefix);
     const oldPath = `${concept.dir}/${filenameFromId(id)}`;
@@ -795,7 +861,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     // concurrent-rename race where another editor renamed onto this path between load and submit.
     const clobber = await readRaw(runtime.backend, newPath, token);
     if (clobber !== null) {
-      return fail(409, { renameError: 'An entry with that slug already exists.' });
+      return fail(409, { error: 'An entry with that slug already exists.' } satisfies RenameFailure);
     }
 
     const [entryRaw, manifest] = await Promise.all([

package/src/lib/sveltekit/guard.ts

@@ -6,7 +6,7 @@ import { resolveSession } from '../auth/store.js';
 import { sessionCookieName } from '../auth/crypto.js';
 import { isUnsafeFormRequest, originMatches, validateCsrfToken } from './csrf.js';
 import { applySecurityHeaders } from './admin-response.js';
-import { renderConditionResponse } from './condition-response.js';
+import { renderConditionResponse, REASON_CONDITION } from './condition-response.js';
 import { log } from '../log/index.js';
 import type { Editor } from '../auth/types.js';
 import type { HandleInput, RequestContext } from './types.js';
@@ -60,6 +60,20 @@ export function createAuthGuard() {
       return renderConditionResponse('edge.https-not-forced', { url: event.url });
     }
 
+    // No auth store binding means no admin path can work: the gated views cannot resolve a
+    // session, and a login or confirm POST would die in its action with a raw 500. That is an
+    // operator fault, not a sign-in problem, so name the condition on every admin path, the
+    // public ones included, instead of rendering a login form that can never succeed.
+    const env = event.platform?.env ?? {};
+    if (!env.AUTH_DB) {
+      log.error('guard.rejected', {
+        reason: 'bindings',
+        conditionId: REASON_CONDITION.bindings,
+        path: pathname,
+      });
+      return renderConditionResponse(REASON_CONDITION.bindings);
+    }
+
     // Rule 1 - admin: every unsafe form POST carries a valid double-submit token, else the branded
     // 403 before resolve() runs. This covers the public login/auth posts too.
     if (isUnsafeFormRequest(event.request) && !(await validateCsrfToken(event))) {
@@ -68,9 +82,8 @@ export function createAuthGuard() {
     }
 
     if (!isPublicAdminPath(pathname)) {
-      const env = event.platform?.env ?? {};
       const id = event.cookies.get(sessionCookieName(event.url.protocol === 'https:'));
-      const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
+      const editor = id ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
       if (!editor) throw redirect(303, '/admin/login');
       event.locals.editor = editor;
     }

package/src/lib/sveltekit/https-required-page.ts

@@ -4,7 +4,8 @@
 // not match, so the editor would otherwise hit an opaque 403. This page names the problem, says why
 // https is needed, and gives the exact Cloudflare fix. The shared shell lives in
 // static-admin-page.ts. See guard.ts.
-import { escapeHtml, renderStaticAdminPage } from './static-admin-page.js';
+import { escapeHtml } from '../escape.js';
+import { renderStaticAdminPage } from './static-admin-page.js';
 
 /**
  * Render the full HTML document for the HTTPS-required page.

package/src/lib/sveltekit/index.ts

@@ -12,9 +12,15 @@ export type {
   EditData,
   ContentEvent,
   ContentRoutesDeps,
+  SaveFailure,
+  DeleteRefusal,
+  RenameFailure,
+  ContentFormFailure,
 } from './content-routes.js';
 export { createNavRoutes } from './nav-routes.js';
 export type { NavLoadData, NavPageOption, NavRoutesDeps } from './nav-routes.js';
+export { parseAdminPath, type AdminView } from './admin-dispatch.js';
+export { createCairnAdmin, type CairnAdminDeps, type AdminData } from './cairn-admin.js';
 export { healthLoad, type HealthData } from './health.js';
 export type { RequestContext, CookieJar, HandleInput } from './types.js';
 // Re-exported here, not from root, so the public ContentRoutesDeps consumer can name it.

package/src/lib/sveltekit/nav-routes.ts

@@ -5,7 +5,7 @@ import { redirect, error } from '@sveltejs/kit';
 import { appCredentials, type GithubKeyEnv } from '../github/credentials.js';
 import { cachedInstallationToken } from '../github/signing.js';
 import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
-import { CommitConflictError } from '../github/types.js';
+import { isConflict } from '../github/types.js';
 import { log } from '../log/index.js';
 import { parseSiteConfig, extractMenu, validateNavTree, setMenu, type NavNode } from '../nav/site-config.js';
 import type { CairnRuntime } from '../content/types.js';
@@ -29,7 +29,9 @@ export interface NavLoadData {
 
 /** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
 export interface NavRoutesDeps {
-  mintToken?: (env: GithubKeyEnv) => Promise<string>;
+  /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer.
+   *  A bare string works too; the routes await whatever comes back. */
+  mintToken?: (env: GithubKeyEnv) => string | Promise<string>;
 }
 
 /** The signed-in editor the guard resolved, or a login redirect. */
@@ -39,11 +41,6 @@ function sessionOf(event: ContentEvent): Editor {
   return editor;
 }
 
-/** Match a commit conflict by class and by name (bundling can alias the class identity). */
-function isConflict(err: unknown): boolean {
-  return err instanceof CommitConflictError || (err as { name?: string } | null)?.name === 'CommitConflictError';
-}
-
 export function createNavRoutes(runtime: CairnRuntime, deps: NavRoutesDeps = {}) {
   const mintToken =
     deps.mintToken ?? ((env: GithubKeyEnv) => cachedInstallationToken(appCredentials(runtime.backend, env)));
@@ -80,12 +77,25 @@ export function createNavRoutes(runtime: CairnRuntime, deps: NavRoutesDeps = {})
     }
 
     let tree: NavNode[] = [];
+    let raw: string | null = null;
     try {
-      const raw = await readRaw(runtime.backend, config.configPath, token);
-      if (raw !== null) tree = extractMenu(parseSiteConfig(raw), config.menuName, maxDepth);
+      raw = await readRaw(runtime.backend, config.configPath, token);
     } catch {
-      // A malformed or unreadable config degrades to an empty tree; the first save writes a clean menu.
-      tree = [];
+      // An unreadable config degrades to an empty tree; the first save writes a clean menu.
+      raw = null;
+    }
+    if (raw !== null) {
+      try {
+        tree = extractMenu(parseSiteConfig(raw), config.menuName, maxDepth);
+      } catch (err) {
+        // A malformed config keeps the same degrade (the nav page failing closed would be worse
+        // for the editor), but the swallow names the operator fault in the log.
+        log.error('config.invalid', {
+          conditionId: 'config.site-config-invalid',
+          error: String(err),
+        });
+        tree = [];
+      }
     }
 
     return {

package/src/lib/sveltekit/static-admin-page.ts

@@ -2,15 +2,7 @@
 // self-contained document with inlined Warm Stone tokens for both colour schemes and the system
 // font stack, served raw before SvelteKit renders. The cairn glyph is the same public-domain
 // Temaki mark the admin chrome uses. See docs/internal/admin-design-system.md.
-
-/** Escape a string for safe interpolation into HTML text and double-quoted attributes. */
-export function escapeHtml(value: string): string {
-  return value
-    .replace(/&/g, '&')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;');
-}
+import { escapeHtml } from '../escape.js';
 
 // The cairn stone-stack glyph (Temaki, CC0), drawn in currentColor like CairnLogo.svelte.
 const CAIRN_GLYPH =

package/src/lib/sveltekit/types.ts

@@ -16,16 +16,25 @@ export interface CookieJar {
   delete(name: string, opts: { path: string }): void;
 }
 
-export interface RequestContext {
+/** The Cloudflare platform wrapper an event carries; `context` is the legacy alias for `ctx`. */
+export interface PlatformContext<Env> {
+  env?: Env;
+  ctx?: { waitUntil(promise: Promise<unknown>): void };
+  context?: { waitUntil(promise: Promise<unknown>): void };
+}
+
+/** The structural core every engine event type extends, parameterized by the Worker env the
+ *  surface reads. Each shared field is defined once here; the extensions add only what their
+ *  surface needs (cookies, params, setHeaders). */
+export interface EventBase<Env> {
   url: URL;
   request: Request;
-  cookies: CookieJar;
   locals: { editor?: Editor | null };
-  platform?: {
-    env?: AuthEnv;
-    ctx?: { waitUntil(promise: Promise<unknown>): void };
-    context?: { waitUntil(promise: Promise<unknown>): void };
-  };
+  platform?: PlatformContext<Env>;
+}
+
+export interface RequestContext extends EventBase<AuthEnv> {
+  cookies: CookieJar;
   // Required so a site cannot silently drop the confirm page's Referrer-Policy header
   // (spec 7.1). A real SvelteKit RequestEvent always supplies it.
   setHeaders(headers: Record<string, string>): void;

package/dist/delivery/paginate.d.ts

@@ -1,12 +0,0 @@
-/** A page of items plus its navigation state. */
-export interface Page<T> {
-    items: T[];
-    page: number;
-    perPage: number;
-    total: number;
-    totalPages: number;
-    hasPrev: boolean;
-    hasNext: boolean;
-}
-/** Slice `items` into the 1-based `page` of size `perPage`, clamping the page into bounds. */
-export declare function paginate<T>(items: T[], page: number, perPage: number): Page<T>;

package/dist/delivery/paginate.js

@@ -1,20 +0,0 @@
-// cairn-cms: pagination helper (public-delivery design). Pure slice math; the template renders
-// the controls. An out-of-range page clamps into bounds.
-/** Slice `items` into the 1-based `page` of size `perPage`, clamping the page into bounds. */
-export function paginate(items, page, perPage) {
-    const total = items.length;
-    // A non-positive page size would make totalPages Infinity, so clamp it to one.
-    const size = Math.max(1, Math.floor(perPage) || 1);
-    const totalPages = Math.max(1, Math.ceil(total / size));
-    const current = Math.min(Math.max(1, Math.floor(page) || 1), totalPages);
-    const start = (current - 1) * size;
-    return {
-        items: items.slice(start, start + size),
-        page: current,
-        perPage: size,
-        total,
-        totalPages,
-        hasPrev: current > 1,
-        hasNext: current < totalPages,
-    };
-}

package/dist/render/index.d.ts

@@ -1,5 +0,0 @@
-export * from './registry.js';
-export * from './glyph.js';
-export * from './remark-directives.js';
-export * from './rehype-dispatch.js';
-export * from './pipeline.js';

package/dist/render/index.js

@@ -1,8 +0,0 @@
-// cairn-cms render engine: a directive-driven markdown to HTML pipeline whose
-// component vocabulary is supplied by a site's component registry. The site owns the
-// component builders, class names, icon set, and CSS; the engine owns the machinery.
-export * from './registry.js';
-export * from './glyph.js';
-export * from './remark-directives.js';
-export * from './rehype-dispatch.js';
-export * from './pipeline.js';

package/src/lib/delivery/paginate.ts

@@ -1,32 +0,0 @@
-// cairn-cms: pagination helper (public-delivery design). Pure slice math; the template renders
-// the controls. An out-of-range page clamps into bounds.
-
-/** A page of items plus its navigation state. */
-export interface Page<T> {
-  items: T[];
-  page: number;
-  perPage: number;
-  total: number;
-  totalPages: number;
-  hasPrev: boolean;
-  hasNext: boolean;
-}
-
-/** Slice `items` into the 1-based `page` of size `perPage`, clamping the page into bounds. */
-export function paginate<T>(items: T[], page: number, perPage: number): Page<T> {
-  const total = items.length;
-  // A non-positive page size would make totalPages Infinity, so clamp it to one.
-  const size = Math.max(1, Math.floor(perPage) || 1);
-  const totalPages = Math.max(1, Math.ceil(total / size));
-  const current = Math.min(Math.max(1, Math.floor(page) || 1), totalPages);
-  const start = (current - 1) * size;
-  return {
-    items: items.slice(start, start + size),
-    page: current,
-    perPage: size,
-    total,
-    totalPages,
-    hasPrev: current > 1,
-    hasNext: current < totalPages,
-  };
-}

package/src/lib/render/index.ts

@@ -1,8 +0,0 @@
-// cairn-cms render engine: a directive-driven markdown to HTML pipeline whose
-// component vocabulary is supplied by a site's component registry. The site owns the
-// component builders, class names, icon set, and CSS; the engine owns the machinery.
-export * from './registry.js';
-export * from './glyph.js';
-export * from './remark-directives.js';
-export * from './rehype-dispatch.js';
-export * from './pipeline.js';