@glw907/cairn-cms 0.40.0 → 0.50.0

package/dist/doctor/types.js

@@ -0,0 +1,10 @@
+/** Result constructors, so a check body reads one outcome per line instead of object literals. */
+export function pass(detail) {
+    return { status: 'pass', detail };
+}
+export function fail(detail) {
+    return { status: 'fail', detail };
+}
+export function skip(detail) {
+    return { status: 'skip', detail };
+}

package/dist/doctor/wrangler-config.d.ts

@@ -0,0 +1,12 @@
+import type { DoctorContext } from './types.js';
+export interface WranglerFacts {
+    /** A send_email binding named EMAIL is declared. */
+    hasEmailBinding: boolean;
+    /** A d1_databases binding named AUTH_DB is declared. */
+    hasAuthDb: boolean;
+    /** The AUTH_DB database_id, when declared; the D1 check queries it. */
+    authDbId?: string;
+    /** observability.enabled is true. */
+    observabilityEnabled: boolean;
+}
+export declare function readWranglerConfig(readFile: DoctorContext['readFile']): Promise<WranglerFacts | null>;

package/dist/doctor/wrangler-config.js

@@ -0,0 +1,125 @@
+export async function readWranglerConfig(readFile) {
+    const jsonc = await readFile('wrangler.jsonc');
+    if (jsonc !== null)
+        return factsFromJsonc(jsonc);
+    const toml = await readFile('wrangler.toml');
+    if (toml !== null)
+        return factsFromToml(toml);
+    return null;
+}
+// Strip // and /* */ comments outside string literals, character by character, so a URL
+// inside a string survives. Trailing commas go by regex afterward; a string containing
+// ",}" would be mangled, an accepted gap in a tolerant reader.
+function stripJsonc(text) {
+    let out = '';
+    let inString = false;
+    let i = 0;
+    while (i < text.length) {
+        const ch = text[i];
+        if (inString) {
+            out += ch;
+            if (ch === '\\') {
+                out += text[i + 1] ?? '';
+                i += 2;
+                continue;
+            }
+            if (ch === '"')
+                inString = false;
+            i += 1;
+            continue;
+        }
+        if (ch === '"') {
+            inString = true;
+            out += ch;
+            i += 1;
+            continue;
+        }
+        if (ch === '/' && text[i + 1] === '/') {
+            const end = text.indexOf('\n', i);
+            i = end === -1 ? text.length : end;
+            continue;
+        }
+        if (ch === '/' && text[i + 1] === '*') {
+            const end = text.indexOf('*/', i + 2);
+            i = end === -1 ? text.length : end + 2;
+            continue;
+        }
+        out += ch;
+        i += 1;
+    }
+    return out.replace(/,(\s*[}\]])/g, '$1');
+}
+function factsFromJsonc(text) {
+    let config;
+    try {
+        config = JSON.parse(stripJsonc(text));
+    }
+    catch {
+        // V8's SyntaxError embeds a source snippet, which would land verbatim in the report;
+        // a file that exists but does not parse is a fail with a clean message instead.
+        throw new Error('wrangler.jsonc did not parse');
+    }
+    const sendEmail = Array.isArray(config.send_email) ? config.send_email : [];
+    const hasEmailBinding = sendEmail.some((entry) => typeof entry === 'object' && entry !== null && entry.name === 'EMAIL');
+    const databases = Array.isArray(config.d1_databases) ? config.d1_databases : [];
+    const authDb = databases.find((entry) => typeof entry === 'object' && entry !== null && entry.binding === 'AUTH_DB');
+    const observability = config.observability;
+    const facts = {
+        hasEmailBinding,
+        hasAuthDb: authDb !== undefined,
+        observabilityEnabled: observability?.enabled === true,
+    };
+    if (typeof authDb?.database_id === 'string')
+        facts.authDbId = authDb.database_id;
+    return facts;
+}
+// The toml read is deliberately shallow: line-anchored matching for the three facts, not a
+// TOML parser. The remediation tells the operator exactly what to add, so full fidelity
+// buys nothing here. A table header opens a section; the relevant key lines are matched
+// within it and the d1 table flushes on the next header.
+function factsFromToml(text) {
+    const facts = {
+        hasEmailBinding: false,
+        hasAuthDb: false,
+        observabilityEnabled: false,
+    };
+    let section = '';
+    let d1Binding;
+    let d1Id;
+    const flushD1 = () => {
+        if (d1Binding === 'AUTH_DB') {
+            facts.hasAuthDb = true;
+            if (d1Id !== undefined)
+                facts.authDbId = d1Id;
+        }
+        d1Binding = undefined;
+        d1Id = undefined;
+    };
+    for (const line of text.split('\n')) {
+        const header = line.match(/^\s*(\[\[?[\w.]+\]?\])\s*(?:#.*)?$/);
+        if (header) {
+            flushD1();
+            section = header[1];
+            continue;
+        }
+        const kv = line.match(/^\s*(\w+)\s*=\s*(.+?)\s*$/);
+        if (!kv)
+            continue;
+        const [, key, value] = kv;
+        const str = value.match(/^["'](.*)["']/)?.[1];
+        if (section === '[[send_email]]' && key === 'name' && str === 'EMAIL') {
+            facts.hasEmailBinding = true;
+        }
+        else if (section === '[[d1_databases]]') {
+            if (key === 'binding')
+                d1Binding = str;
+            if (key === 'database_id')
+                d1Id = str;
+        }
+        else if (section === '[observability]' && key === 'enabled' && value.startsWith('true')) {
+            facts.observabilityEnabled = true;
+        }
+    }
+    flushD1();
+    return facts;
+}

package/dist/email.js

@@ -1,13 +1,5 @@
 import { CairnError } from './diagnostics/index.js';
-/** Escape the five HTML-significant characters. */
-function escapeHtml(value) {
-    return value
-        .replaceAll('&', '&')
-        .replaceAll('<', '&lt;')
-        .replaceAll('>', '&gt;')
-        .replaceAll('"', '&quot;')
-        .replaceAll("'", '&#39;');
-}
+import { escapeHtml } from './escape.js';
 /** Build the confirmation email. The link is the only action; the copy stays plain. */
 export function buildMagicLinkMessage(input) {
     const { to, branding, link } = input;
@@ -20,8 +12,9 @@ export function buildMagicLinkMessage(input) {
 }
 /** The production send: Cloudflare Email Sending through the EMAIL binding. */
 export const cloudflareSend = async (env, message) => {
-    if (!env.EMAIL)
-        throw new Error('EMAIL binding is not configured');
+    if (!env.EMAIL) {
+        throw new CairnError('config.bindings-missing', { message: 'EMAIL binding is not configured' });
+    }
     await env.EMAIL.send(message);
 };
 /**

package/dist/env.d.ts

@@ -16,7 +16,7 @@ export declare function requireOrigin(env: {
  * The handlers read D1 off `event.platform.env`; without this a misconfigured binding
  * surfaces as a raw `TypeError` deep in a store call. This gives the failure a name.
  *
- * @throws Error when `AUTH_DB` is missing.
+ * @throws CairnError (`config.bindings-missing`) when `AUTH_DB` is missing.
  */
 export declare function requireDb(env: {
     AUTH_DB?: D1Database;

package/dist/env.js

@@ -1,3 +1,4 @@
+import { CairnError } from './diagnostics/index.js';
 /**
  * Returns the site's public origin from configuration.
  *
@@ -33,11 +34,11 @@ export function requireOrigin(env) {
  * The handlers read D1 off `event.platform.env`; without this a misconfigured binding
  * surfaces as a raw `TypeError` deep in a store call. This gives the failure a name.
  *
- * @throws Error when `AUTH_DB` is missing.
+ * @throws CairnError (`config.bindings-missing`) when `AUTH_DB` is missing.
  */
 export function requireDb(env) {
     if (!env.AUTH_DB) {
-        throw new Error('AUTH_DB binding is not configured');
+        throw new CairnError('config.bindings-missing', { message: 'AUTH_DB binding is not configured' });
     }
     return env.AUTH_DB;
 }

package/dist/escape.d.ts

@@ -0,0 +1,2 @@
+/** Escape the five HTML-significant characters for text and quoted attribute values. */
+export declare function escapeHtml(value: string): string;

package/dist/escape.js

@@ -0,0 +1,11 @@
+// cairn-cms: the one HTML text escape. A leaf module with no imports, so the email builder and
+// the edge-served admin pages share it without either arm reaching into the other.
+/** Escape the five HTML-significant characters for text and quoted attribute values. */
+export function escapeHtml(value) {
+    return value
+        .replaceAll('&', '&')
+        .replaceAll('<', '&lt;')
+        .replaceAll('>', '&gt;')
+        .replaceAll('"', '&quot;')
+        .replaceAll("'", '&#39;');
+}

package/dist/github/credentials.d.ts

@@ -6,6 +6,7 @@ export interface GithubKeyEnv {
 }
 /**
  * Assemble the `AppCredentials` the signer needs from the adapter's `backend` (app id,
- * installation) and the Worker's private-key secret. Throws when the secret is unset.
+ * installation) and the Worker's private-key secret. Throws a CairnError naming
+ * `github.app-unreachable` when the secret is unset, since the App cannot authenticate without it.
  */
 export declare function appCredentials(backend: Pick<BackendConfig, 'appId' | 'installationId'>, env: GithubKeyEnv): AppCredentials;

package/dist/github/credentials.js

@@ -1,11 +1,19 @@
+// cairn-cms: the bridge from the adapter's backend config and the Worker's secret to the
+// App signer's input. One tested place owns the join and the missing-secret failure, so the
+// save action (Plan 05) stays thin and a misconfigured Worker fails by name, not with a deep
+// TypeError. Mirrors requireDb/requireOrigin in env.ts.
+import { CairnError } from '../diagnostics/index.js';
 /**
  * Assemble the `AppCredentials` the signer needs from the adapter's `backend` (app id,
- * installation) and the Worker's private-key secret. Throws when the secret is unset.
+ * installation) and the Worker's private-key secret. Throws a CairnError naming
+ * `github.app-unreachable` when the secret is unset, since the App cannot authenticate without it.
  */
 export function appCredentials(backend, env) {
     const privateKeyB64 = env.GITHUB_APP_PRIVATE_KEY_B64;
     if (!privateKeyB64) {
-        throw new Error('GITHUB_APP_PRIVATE_KEY_B64 is not configured');
+        throw new CairnError('github.app-unreachable', {
+            message: 'GITHUB_APP_PRIVATE_KEY_B64 is not configured',
+        });
     }
     return { appId: backend.appId, installationId: backend.installationId, privateKeyB64 };
 }

package/dist/github/signing.d.ts

@@ -9,7 +9,9 @@ export declare function installationToken(creds: AppCredentials): Promise<string
  * instead of re-signing and re-calling GitHub on every list and commit. A cold isolate re-mints,
  * which is always safe. This mirrors the default of @octokit/auth-app, which caches installation
  * tokens in memory and returns them until expiry. The TTL stays under GitHub's documented one-hour
- * lifetime, so a fixed margin avoids parsing the API expiry. `mint` and `now` are injected so the
+ * lifetime, so a fixed margin avoids parsing the API expiry. The cache holds the in-flight
+ * promise, not the resolved token, so a cold isolate's parallel loads coalesce into one mint;
+ * a rejected mint evicts itself so the next call retries. `mint` and `now` are injected so the
  * cache is testable with no network call and no real clock.
  */
 export declare function createInstallationTokenCache(mint?: (creds: AppCredentials) => Promise<string>, now?: () => number, ttlMs?: number): (creds: AppCredentials) => Promise<string>;

package/dist/github/signing.js

@@ -65,18 +65,26 @@ export async function installationToken(creds) {
  * instead of re-signing and re-calling GitHub on every list and commit. A cold isolate re-mints,
  * which is always safe. This mirrors the default of @octokit/auth-app, which caches installation
  * tokens in memory and returns them until expiry. The TTL stays under GitHub's documented one-hour
- * lifetime, so a fixed margin avoids parsing the API expiry. `mint` and `now` are injected so the
+ * lifetime, so a fixed margin avoids parsing the API expiry. The cache holds the in-flight
+ * promise, not the resolved token, so a cold isolate's parallel loads coalesce into one mint;
+ * a rejected mint evicts itself so the next call retries. `mint` and `now` are injected so the
  * cache is testable with no network call and no real clock.
  */
 export function createInstallationTokenCache(mint = installationToken, now = () => Date.now(), ttlMs = 55 * 60 * 1000) {
     const cache = new Map();
-    return async function get(creds) {
+    return function get(creds) {
         const hit = cache.get(creds.installationId);
         if (hit && hit.expiresAt > now())
             return hit.token;
-        const token = await mint(creds);
-        cache.set(creds.installationId, { token, expiresAt: now() + ttlMs });
-        return token;
+        const entry = { token: mint(creds), expiresAt: now() + ttlMs };
+        cache.set(creds.installationId, entry);
+        // Evict only this entry on rejection: a newer entry that replaced it must survive. The
+        // caller's await surfaces the rejection itself, so this side handler swallows nothing.
+        entry.token.catch(() => {
+            if (cache.get(creds.installationId) === entry)
+                cache.delete(creds.installationId);
+        });
+        return entry.token;
     };
 }
 /** The shared installation-token cache, one instance per Worker isolate. */

package/dist/github/types.d.ts

@@ -32,3 +32,5 @@ export declare class CommitConflictError extends Error {
     readonly path: string;
     constructor(path: string);
 }
+/** Match a commit conflict by class and by name (bundling can alias the class identity). */
+export declare function isConflict(err: unknown): boolean;

package/dist/github/types.js

@@ -16,3 +16,7 @@ export class CommitConflictError extends Error {
         this.name = 'CommitConflictError';
     }
 }
+/** Match a commit conflict by class and by name (bundling can alias the class identity). */
+export function isConflict(err) {
+    return err instanceof CommitConflictError || err?.name === 'CommitConflictError';
+}

package/dist/log/events.d.ts

@@ -1 +1 @@
-export type CairnLogEvent = 'auth.link.requested' | 'auth.link.send_failed' | 'auth.token.minted' | 'auth.token.confirmed' | 'auth.session.created' | 'auth.session.destroyed' | 'commit.succeeded' | 'commit.failed' | 'entry.published' | 'entry.discarded' | 'publish.failed' | 'guard.rejected';
+export type CairnLogEvent = 'auth.link.requested' | 'auth.link.send_failed' | 'auth.token.minted' | 'auth.token.confirmed' | 'auth.session.created' | 'auth.session.destroyed' | 'commit.succeeded' | 'commit.failed' | 'config.invalid' | 'entry.published' | 'entry.discarded' | 'publish.failed' | 'github.unreachable' | 'guard.rejected';

package/dist/nav/site-config.d.ts

@@ -37,6 +37,8 @@ export interface SiteConfig {
     [key: string]: unknown;
 }
 export declare class SiteConfigError extends Error {
+    /** The registered diagnostic condition a malformed site config maps to (mirrors CairnError). */
+    readonly conditionId = "config.site-config-invalid";
     constructor(message: string);
 }
 /** Parse the YAML site-config text into a typed object. Throws SiteConfigError on a malformed root. */

package/dist/nav/site-config.js

@@ -60,6 +60,8 @@ export function validateNavTree(value, maxDepth) {
     return walk(value, 1);
 }
 export class SiteConfigError extends Error {
+    /** The registered diagnostic condition a malformed site config maps to (mirrors CairnError). */
+    conditionId = 'config.site-config-invalid';
     constructor(message) {
         super(message);
         this.name = 'SiteConfigError';

package/dist/sveltekit/admin-dispatch.d.ts

@@ -0,0 +1,28 @@
+import type { ConceptDescriptor } from '../content/types.js';
+/** The views the single-mount admin can render, discriminated for the dispatcher's switch. */
+export type AdminView = {
+    view: 'index';
+} | {
+    view: 'login';
+} | {
+    view: 'confirm';
+} | {
+    view: 'list';
+    concept: ConceptDescriptor;
+} | {
+    view: 'edit';
+    concept: ConceptDescriptor;
+    id: string;
+} | {
+    view: 'editors';
+} | {
+    view: 'nav';
+};
+/**
+ * Parse a raw `URL.pathname` (the caller passes `event.url.pathname`, never a SvelteKit rest
+ * param) into the admin view it names. A single trailing slash is tolerated everywhere; empty
+ * internal segments are not. Each segment is percent-decoded individually, so an encoded slash
+ * stays inside its segment, where it can never match a concept id or pass `isValidId` and so
+ * falls through to null.
+ */
+export declare function parseAdminPath(pathname: string, concepts: ConceptDescriptor[]): AdminView | null;

package/dist/sveltekit/admin-dispatch.js

@@ -0,0 +1,62 @@
+import { findConcept } from '../content/concepts.js';
+import { isValidId } from '../content/ids.js';
+/**
+ * Fixed first segments that never resolve as concepts. The engine only allows posts and pages
+ * today, so no collision is possible, but the parser does not depend on that: a reserved
+ * segment wins before concept lookup. `settings` has no view yet; AdminLayout already links
+ * the sidebar to /admin/settings, so the URL is spoken for.
+ */
+const RESERVED_SEGMENTS = new Set(['login', 'auth', 'editors', 'nav', 'settings']);
+/**
+ * Parse a raw `URL.pathname` (the caller passes `event.url.pathname`, never a SvelteKit rest
+ * param) into the admin view it names. A single trailing slash is tolerated everywhere; empty
+ * internal segments are not. Each segment is percent-decoded individually, so an encoded slash
+ * stays inside its segment, where it can never match a concept id or pass `isValidId` and so
+ * falls through to null.
+ */
+export function parseAdminPath(pathname, concepts) {
+    if (pathname !== '/admin' && !pathname.startsWith('/admin/'))
+        return null;
+    let rest = pathname.slice('/admin'.length);
+    // Tolerate exactly one trailing slash; a doubled one leaves an empty segment behind.
+    if (rest.endsWith('/'))
+        rest = rest.slice(0, -1);
+    if (rest === '')
+        return { view: 'index' };
+    const rawSegments = rest.slice(1).split('/');
+    if (rawSegments.includes(''))
+        return null;
+    let segments;
+    try {
+        segments = rawSegments.map((segment) => decodeURIComponent(segment));
+    }
+    catch {
+        // Malformed percent encoding is an unrecognized shape, not a server error.
+        return null;
+    }
+    if (segments.length === 1) {
+        const [head] = segments;
+        if (head === 'login')
+            return { view: 'login' };
+        if (head === 'editors')
+            return { view: 'editors' };
+        if (head === 'nav')
+            return { view: 'nav' };
+        if (RESERVED_SEGMENTS.has(head))
+            return null;
+        const concept = findConcept(concepts, head);
+        return concept ? { view: 'list', concept } : null;
+    }
+    if (segments.length === 2) {
+        const [head, tail] = segments;
+        if (head === 'auth')
+            return tail === 'confirm' ? { view: 'confirm' } : null;
+        if (RESERVED_SEGMENTS.has(head))
+            return null;
+        const concept = findConcept(concepts, head);
+        if (!concept || !isValidId(tail))
+            return null;
+        return { view: 'edit', concept, id: tail };
+    }
+    return null;
+}

package/dist/sveltekit/cairn-admin.d.ts

@@ -0,0 +1,94 @@
+import { type ContentRoutesDeps, type LayoutData, type ListData, type EditData } from './content-routes.js';
+import { type NavLoadData } from './nav-routes.js';
+import type { AuthBranding, SendMagicLink } from '../email.js';
+import type { AuthEnv, Editor } from '../auth/types.js';
+import type { GithubKeyEnv } from '../github/credentials.js';
+import type { CairnRuntime } from '../content/types.js';
+import type { CookieJar, EventBase } from './types.js';
+/**
+ * The structural event the single-mount load reads: the union of what the wrapped loads need
+ * (ContentEvent minus params, which the dispatcher synthesizes, plus RequestContext's cookies
+ * and setHeaders). A real SvelteKit RequestEvent satisfies it.
+ */
+export interface AdminEvent extends EventBase<GithubKeyEnv & AuthEnv> {
+    cookies: CookieJar;
+    setHeaders(headers: Record<string, string>): void;
+}
+/** Injectable dependencies. Branding defaults from the runtime's siteName and sender, so a
+ *  site overrides it only to change the magic-link email identity; `send` and `mintToken`
+ *  are the same seams the underlying factories take. */
+export interface CairnAdminDeps {
+    branding?: AuthBranding;
+    send?: SendMagicLink;
+    mintToken?: ContentRoutesDeps['mintToken'];
+}
+/**
+ * One admin view's data, discriminated for the admin page component's switch. The public
+ * views (login, confirm) carry no layout; every authed view pairs the shared layout with its
+ * page data, the same shapes the per-surface loads have always returned.
+ */
+export type AdminData = {
+    view: 'login';
+    page: {
+        siteName: string;
+        error: string | null;
+        csrf: string;
+    };
+} | {
+    view: 'confirm';
+    page: {
+        token: string;
+        siteName: string;
+        error: string | null;
+        csrf: string;
+    };
+} | {
+    view: 'list';
+    layout: LayoutData;
+    page: ListData;
+} | {
+    view: 'edit';
+    layout: LayoutData;
+    page: EditData;
+} | {
+    view: 'editors';
+    layout: LayoutData;
+    page: {
+        editors: Editor[];
+        self: string;
+    };
+} | {
+    view: 'nav';
+    layout: LayoutData;
+    page: NavLoadData;
+};
+export declare function createCairnAdmin(runtime: CairnRuntime, deps?: CairnAdminDeps): {
+    load: (event: AdminEvent) => Promise<AdminData>;
+    actions: {
+        request: (event: AdminEvent) => Promise<import("./auth-routes.js").RequestResult>;
+        confirm: (event: AdminEvent) => Promise<never>;
+        logout: (event: AdminEvent) => Promise<never>;
+        create: (event: AdminEvent) => Promise<never>;
+        save: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
+        publish: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
+        discard: (event: AdminEvent) => Promise<never>;
+        rename: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
+        delete: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
+        publishAll: (event: AdminEvent) => Promise<never>;
+        addEditor: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<{
+            error: string;
+        }> | {
+            ok: true;
+        }>;
+        removeEditor: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<{
+            error: string;
+        }> | {
+            ok: true;
+        }>;
+        setRole: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<{
+            error: string;
+        }> | {
+            ok: true;
+        }>;
+    };
+};

package/dist/sveltekit/cairn-admin.js

@@ -0,0 +1,126 @@
+// The single-mount admin facade. One factory closes over the composed runtime, instantiates
+// the existing per-surface route factories (auth, content, editors, nav), and serves every
+// admin view through the one load and one actions record a site's catch-all /admin/[...path]
+// route exports. The path authority is admin-dispatch's parseAdminPath; this module only maps
+// each view to the wrapped load it delegates to, and each named action validates that the
+// parsed view supports it before delegating to the same wrapped factories.
+import { error } from '@sveltejs/kit';
+import { parseAdminPath } from './admin-dispatch.js';
+import { createAuthRoutes } from './auth-routes.js';
+import { createContentRoutes, } from './content-routes.js';
+import { createEditorRoutes } from './editors-routes.js';
+import { createNavRoutes } from './nav-routes.js';
+export function createCairnAdmin(runtime, deps = {}) {
+    // The runtime already composes the site name and the sender identity, so the magic-link
+    // branding needs no second copy of either unless a site overrides it.
+    const branding = deps.branding ?? {
+        siteName: runtime.siteName,
+        from: runtime.sender.from,
+        replyTo: runtime.sender.replyTo,
+    };
+    const auth = createAuthRoutes({ branding, send: deps.send });
+    const content = createContentRoutes(runtime, { mintToken: deps.mintToken });
+    const editors = createEditorRoutes();
+    // The nav surface exists only when the site configures a menu; without one its view is a 404.
+    const nav = runtime.navMenu ? createNavRoutes(runtime, { mintToken: deps.mintToken }) : null;
+    /** Build the event a wrapped content load reads. The catch-all route carries only a rest
+     *  param, so `concept` and `id` are synthesized from the parsed view. The override names
+     *  each field explicitly rather than spreading: a real RequestEvent's fields can sit behind
+     *  getters a bare spread copies poorly, and the structural ContentEvent contract needs only
+     *  these. */
+    function contentEvent(event, params) {
+        return {
+            url: event.url,
+            params,
+            request: event.request,
+            locals: event.locals,
+            platform: event.platform,
+            cookies: event.cookies,
+        };
+    }
+    /** Serve the admin view the pathname names, or a 404 for any shape the parser refuses.
+     *  The authed views run the layout load and the view load concurrently; both mint a GitHub
+     *  token, and the installation-token cache coalesces the mints into one signing. */
+    async function load(event) {
+        const view = parseAdminPath(event.url.pathname, runtime.concepts);
+        if (!view)
+            throw error(404, 'Not found');
+        switch (view.view) {
+            case 'index':
+                return content.indexRedirect();
+            case 'login':
+                return { view: 'login', page: auth.loginLoad(event) };
+            case 'confirm':
+                return { view: 'confirm', page: auth.confirmLoad(event) };
+            case 'list': {
+                const delegated = contentEvent(event, { concept: view.concept.id });
+                const [layout, page] = await Promise.all([content.layoutLoad(delegated), content.listLoad(delegated)]);
+                return { view: 'list', layout, page };
+            }
+            case 'edit': {
+                const delegated = contentEvent(event, { concept: view.concept.id, id: view.id });
+                const [layout, page] = await Promise.all([content.layoutLoad(delegated), content.editLoad(delegated)]);
+                return { view: 'edit', layout, page };
+            }
+            case 'editors': {
+                // editorsLoad gates itself with requireOwner, so the dispatcher adds no second gate.
+                const [layout, page] = await Promise.all([
+                    content.layoutLoad(contentEvent(event, {})),
+                    editors.editorsLoad(event),
+                ]);
+                return { view: 'editors', layout, page };
+            }
+            case 'nav': {
+                if (!nav)
+                    throw error(404, 'Not found');
+                const delegated = contentEvent(event, {});
+                const [layout, page] = await Promise.all([content.layoutLoad(delegated), nav.navLoad(delegated)]);
+                return { view: 'nav', layout, page };
+            }
+        }
+    }
+    /** Wrap a delegate in the parse-and-check every action shares: parse the pathname exactly
+     *  as load does, 404 on a null parse or a view outside the allowed set, then hand the
+     *  narrowed view to the delegate. */
+    function viewAction(allowed, delegate) {
+        return async (event) => {
+            const view = parseAdminPath(event.url.pathname, runtime.concepts);
+            if (!view || !allowed.includes(view.view))
+                throw error(404, 'Not found');
+            // The includes check above proves the membership the cast asserts.
+            return delegate(event, view);
+        };
+    }
+    // The topbar posts publishAll from every authed admin page; login and confirm may not.
+    const authedViews = ['list', 'edit', 'editors', 'nav'];
+    // An editor signs out from wherever they are, so logout accepts any parsed view.
+    const anyView = ['index', 'login', 'confirm', 'list', 'edit', 'editors', 'nav'];
+    /** The full admin action vocabulary, one named async function per action, so a site's
+     *  catch-all route exports `admin.actions` directly. Each wrapper stays thin: parse,
+     *  validate the view, synthesize the params the wrapped action reads, delegate. The
+     *  editor actions gate themselves with requireOwner, so no second gate is added here. */
+    const actions = {
+        request: viewAction(['login'], (event) => auth.requestAction(event)),
+        confirm: viewAction(['confirm'], (event) => auth.confirmAction(event)),
+        logout: viewAction(anyView, (event) => auth.logoutAction(event)),
+        create: viewAction(['list'], (event, view) => content.createAction(contentEvent(event, { concept: view.concept.id }))),
+        save: viewAction(['edit', 'nav'], (event, view) => {
+            if (view.view === 'edit')
+                return content.saveAction(contentEvent(event, { concept: view.concept.id, id: view.id }));
+            if (!nav)
+                throw error(404, 'Not found');
+            return nav.navSave(contentEvent(event, {}));
+        }),
+        publish: viewAction(['edit'], (event, view) => content.publishAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+        discard: viewAction(['edit'], (event, view) => content.discardAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+        rename: viewAction(['edit'], (event, view) => content.renameAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+        delete: viewAction(['edit', 'list'], (event, view) => view.view === 'edit'
+            ? content.deleteAction(contentEvent(event, { concept: view.concept.id, id: view.id }))
+            : content.listDeleteAction(contentEvent(event, { concept: view.concept.id }))),
+        publishAll: viewAction(authedViews, (event) => content.publishAllAction(contentEvent(event, {}))),
+        addEditor: viewAction(['editors'], (event) => editors.addEditorAction(event)),
+        removeEditor: viewAction(['editors'], (event) => editors.removeEditorAction(event)),
+        setRole: viewAction(['editors'], (event) => editors.setRoleAction(event)),
+    };
+    return { load, actions };
+}