@glw907/cairn-cms 0.41.0 → 0.50.0

package/dist/sveltekit/cairn-admin.js

@@ -0,0 +1,126 @@
+// The single-mount admin facade. One factory closes over the composed runtime, instantiates
+// the existing per-surface route factories (auth, content, editors, nav), and serves every
+// admin view through the one load and one actions record a site's catch-all /admin/[...path]
+// route exports. The path authority is admin-dispatch's parseAdminPath; this module only maps
+// each view to the wrapped load it delegates to, and each named action validates that the
+// parsed view supports it before delegating to the same wrapped factories.
+import { error } from '@sveltejs/kit';
+import { parseAdminPath } from './admin-dispatch.js';
+import { createAuthRoutes } from './auth-routes.js';
+import { createContentRoutes, } from './content-routes.js';
+import { createEditorRoutes } from './editors-routes.js';
+import { createNavRoutes } from './nav-routes.js';
+export function createCairnAdmin(runtime, deps = {}) {
+    // The runtime already composes the site name and the sender identity, so the magic-link
+    // branding needs no second copy of either unless a site overrides it.
+    const branding = deps.branding ?? {
+        siteName: runtime.siteName,
+        from: runtime.sender.from,
+        replyTo: runtime.sender.replyTo,
+    };
+    const auth = createAuthRoutes({ branding, send: deps.send });
+    const content = createContentRoutes(runtime, { mintToken: deps.mintToken });
+    const editors = createEditorRoutes();
+    // The nav surface exists only when the site configures a menu; without one its view is a 404.
+    const nav = runtime.navMenu ? createNavRoutes(runtime, { mintToken: deps.mintToken }) : null;
+    /** Build the event a wrapped content load reads. The catch-all route carries only a rest
+     *  param, so `concept` and `id` are synthesized from the parsed view. The override names
+     *  each field explicitly rather than spreading: a real RequestEvent's fields can sit behind
+     *  getters a bare spread copies poorly, and the structural ContentEvent contract needs only
+     *  these. */
+    function contentEvent(event, params) {
+        return {
+            url: event.url,
+            params,
+            request: event.request,
+            locals: event.locals,
+            platform: event.platform,
+            cookies: event.cookies,
+        };
+    }
+    /** Serve the admin view the pathname names, or a 404 for any shape the parser refuses.
+     *  The authed views run the layout load and the view load concurrently; both mint a GitHub
+     *  token, and the installation-token cache coalesces the mints into one signing. */
+    async function load(event) {
+        const view = parseAdminPath(event.url.pathname, runtime.concepts);
+        if (!view)
+            throw error(404, 'Not found');
+        switch (view.view) {
+            case 'index':
+                return content.indexRedirect();
+            case 'login':
+                return { view: 'login', page: auth.loginLoad(event) };
+            case 'confirm':
+                return { view: 'confirm', page: auth.confirmLoad(event) };
+            case 'list': {
+                const delegated = contentEvent(event, { concept: view.concept.id });
+                const [layout, page] = await Promise.all([content.layoutLoad(delegated), content.listLoad(delegated)]);
+                return { view: 'list', layout, page };
+            }
+            case 'edit': {
+                const delegated = contentEvent(event, { concept: view.concept.id, id: view.id });
+                const [layout, page] = await Promise.all([content.layoutLoad(delegated), content.editLoad(delegated)]);
+                return { view: 'edit', layout, page };
+            }
+            case 'editors': {
+                // editorsLoad gates itself with requireOwner, so the dispatcher adds no second gate.
+                const [layout, page] = await Promise.all([
+                    content.layoutLoad(contentEvent(event, {})),
+                    editors.editorsLoad(event),
+                ]);
+                return { view: 'editors', layout, page };
+            }
+            case 'nav': {
+                if (!nav)
+                    throw error(404, 'Not found');
+                const delegated = contentEvent(event, {});
+                const [layout, page] = await Promise.all([content.layoutLoad(delegated), nav.navLoad(delegated)]);
+                return { view: 'nav', layout, page };
+            }
+        }
+    }
+    /** Wrap a delegate in the parse-and-check every action shares: parse the pathname exactly
+     *  as load does, 404 on a null parse or a view outside the allowed set, then hand the
+     *  narrowed view to the delegate. */
+    function viewAction(allowed, delegate) {
+        return async (event) => {
+            const view = parseAdminPath(event.url.pathname, runtime.concepts);
+            if (!view || !allowed.includes(view.view))
+                throw error(404, 'Not found');
+            // The includes check above proves the membership the cast asserts.
+            return delegate(event, view);
+        };
+    }
+    // The topbar posts publishAll from every authed admin page; login and confirm may not.
+    const authedViews = ['list', 'edit', 'editors', 'nav'];
+    // An editor signs out from wherever they are, so logout accepts any parsed view.
+    const anyView = ['index', 'login', 'confirm', 'list', 'edit', 'editors', 'nav'];
+    /** The full admin action vocabulary, one named async function per action, so a site's
+     *  catch-all route exports `admin.actions` directly. Each wrapper stays thin: parse,
+     *  validate the view, synthesize the params the wrapped action reads, delegate. The
+     *  editor actions gate themselves with requireOwner, so no second gate is added here. */
+    const actions = {
+        request: viewAction(['login'], (event) => auth.requestAction(event)),
+        confirm: viewAction(['confirm'], (event) => auth.confirmAction(event)),
+        logout: viewAction(anyView, (event) => auth.logoutAction(event)),
+        create: viewAction(['list'], (event, view) => content.createAction(contentEvent(event, { concept: view.concept.id }))),
+        save: viewAction(['edit', 'nav'], (event, view) => {
+            if (view.view === 'edit')
+                return content.saveAction(contentEvent(event, { concept: view.concept.id, id: view.id }));
+            if (!nav)
+                throw error(404, 'Not found');
+            return nav.navSave(contentEvent(event, {}));
+        }),
+        publish: viewAction(['edit'], (event, view) => content.publishAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+        discard: viewAction(['edit'], (event, view) => content.discardAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+        rename: viewAction(['edit'], (event, view) => content.renameAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+        delete: viewAction(['edit', 'list'], (event, view) => view.view === 'edit'
+            ? content.deleteAction(contentEvent(event, { concept: view.concept.id, id: view.id }))
+            : content.listDeleteAction(contentEvent(event, { concept: view.concept.id }))),
+        publishAll: viewAction(authedViews, (event) => content.publishAllAction(contentEvent(event, {}))),
+        addEditor: viewAction(['editors'], (event) => editors.addEditorAction(event)),
+        removeEditor: viewAction(['editors'], (event) => editors.removeEditorAction(event)),
+        setRole: viewAction(['editors'], (event) => editors.setRoleAction(event)),
+    };
+    return { load, actions };
+}

package/dist/sveltekit/condition-response.d.ts

@@ -3,6 +3,7 @@ export declare const REASON_CONDITION: {
     readonly https: "edge.https-not-forced";
     readonly csrf: "auth.csrf-token-invalid";
     readonly origin: "auth.csrf-origin-mismatch";
+    readonly bindings: "config.bindings-missing";
 };
 export type GuardReason = keyof typeof REASON_CONDITION;
 /** Render the Response the guard serves for a rejection, by its condition id. */

package/dist/sveltekit/condition-response.js

@@ -4,13 +4,35 @@
 import { brandedAdminPage } from './admin-response.js';
 import { httpsRequiredPage } from './https-required-page.js';
 import { csrfRequiredPage } from './csrf-required-page.js';
+import { escapeHtml } from '../escape.js';
+import { renderStaticAdminPage } from './static-admin-page.js';
 import { condition } from '../diagnostics/index.js';
 /** The guard.rejected reasons, each mapped to its registered condition id. */
 export const REASON_CONDITION = {
     https: 'edge.https-not-forced',
     csrf: 'auth.csrf-token-invalid',
     origin: 'auth.csrf-origin-mismatch',
+    bindings: 'config.bindings-missing',
 };
+/**
+ * A branded page for an operator fault, built straight from the registered condition's fields so
+ * the served copy, the doctor's report, and the readiness checklist say the same thing.
+ */
+function conditionFaultPage(cond) {
+    const inner = `
+  <span class="eyebrow">
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3Z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg>
+    Site setup required
+  </span>
+  <h1>${escapeHtml(cond.title)}</h1>
+  <p>${escapeHtml(cond.why)}</p>
+
+  <div class="fix">
+    <h2>If you run this site</h2>
+    <p>${escapeHtml(cond.remediation)}</p>
+  </div>`;
+    return renderStaticAdminPage({ title: `${cond.title} · Cairn`, innerHtml: inner });
+}
 /** Render the Response the guard serves for a rejection, by its condition id. */
 export function renderConditionResponse(id, ctx = {}) {
     // Assert the id is registered before rendering, keeping the renderer in 1:1 with the registry.
@@ -28,6 +50,9 @@ export function renderConditionResponse(id, ctx = {}) {
                 status: 403,
                 headers: { 'Content-Type': 'text/plain; charset=utf-8' },
             });
+        case REASON_CONDITION.bindings:
+            // An operator fault, not a request fault: the Worker deployed without its bindings.
+            return brandedAdminPage(500, conditionFaultPage(condition(id)));
         default:
             throw new Error(`no runtime renderer for condition: ${id}`);
     }

package/dist/sveltekit/content-routes.d.ts

@@ -1,9 +1,9 @@
 import { fail } from '@sveltejs/kit';
 import { type GithubKeyEnv } from '../github/credentials.js';
 import { type LinkTarget, type InboundLink } from '../content/manifest.js';
-import type { CookieJar } from './types.js';
+import type { CookieJar, EventBase } from './types.js';
 import type { CairnRuntime, FrontmatterField } from '../content/types.js';
-import type { Editor, Role } from '../auth/types.js';
+import type { Role } from '../auth/types.js';
 /** A sidebar concept entry: just enough to render the nav without shipping validators to the client. */
 export interface NavConcept {
     id: string;
@@ -89,25 +89,45 @@ export interface EditData {
     discardedFlash: boolean;
 }
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
-export interface ContentEvent {
-    url: URL;
+export interface ContentEvent extends EventBase<GithubKeyEnv> {
     params: Record<string, string>;
-    request: Request;
-    locals: {
-        editor?: Editor | null;
-    };
-    platform?: {
-        env?: GithubKeyEnv;
-    };
     /** SvelteKit's cookie jar. The layout load reads the persisted admin theme and issues the CSRF
      *  token. Optional for non-route callers. */
     cookies?: CookieJar;
 }
 /** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
 export interface ContentRoutesDeps {
-    /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer. */
-    mintToken?: (env: GithubKeyEnv) => Promise<string>;
+    /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer.
+     *  A bare string works too; the routes await whatever comes back. */
+    mintToken?: (env: GithubKeyEnv) => string | Promise<string>;
+}
+/** A blocked save or publish: `fail(400)` when the body links to a target absent from main. */
+export interface SaveFailure {
+    /** The one-line human summary every content action failure carries. */
+    error: string;
+    /** The cairn tokens that resolve to no entry, for the editor's fix-it banner. */
+    brokenLinks: string[];
+    /** The author's edited markdown, so the editor reseeds with the unsaved work. */
+    body: string;
+}
+/** A refused delete: `fail(409)` while other entries still link to this one. */
+export interface DeleteRefusal {
+    /** The one-line human summary every content action failure carries. */
+    error: string;
+    /** The entries whose bodies link to the refused one, for the blockers list. */
+    inboundLinks: InboundLink[];
+    /** The refused entry's id, so a list view marks the right row. */
+    id: string;
+}
+/** A refused rename: `fail(400)` on a bad slug, `fail(409)` on a collision or pending edits. */
+export interface RenameFailure {
+    /** The one-line human summary every content action failure carries. */
+    error: string;
 }
+/** What a route's single `form` export presents to a view component: whichever content action
+ *  last failed, merged with every field optional. `error` is always set on a failure; the richer
+ *  keys identify which guard refused. */
+export type ContentFormFailure = Partial<SaveFailure & DeleteRefusal & RenameFailure>;
 export declare function createContentRoutes(runtime: CairnRuntime, deps?: ContentRoutesDeps): {
     layoutLoad: (event: ContentEvent) => Promise<LayoutData>;
     indexRedirect: () => never;
@@ -121,5 +141,5 @@ export declare function createContentRoutes(runtime: CairnRuntime, deps?: Conten
     deleteAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     listDeleteAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     renameAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
-    mintToken: (env: GithubKeyEnv) => Promise<string>;
+    mintToken: (env: GithubKeyEnv) => string | Promise<string>;
 };

package/dist/sveltekit/content-routes.js

@@ -4,17 +4,16 @@
 // email `send` injection in auth-routes. A shim stays one line: `export const load = routes.editLoad`.
 import { redirect, error, fail } from '@sveltejs/kit';
 import { findConcept } from '../content/concepts.js';
-import { extractCairnLinks, formatCairnToken } from '../content/links.js';
+import { extractCairnLinks, formatCairnToken, rewriteCairnLink } from '../content/links.js';
 import { frontmatterFromForm, parseMarkdown, dateInputValue, serializeMarkdown } from '../content/frontmatter.js';
 import { isValidId, slugify, filenameFromId, composeDatedId, slugFromId, renameId } from '../content/ids.js';
-import { rewriteCairnLink } from '../components/markdown-format.js';
 import { appCredentials } from '../github/credentials.js';
 import { listMarkdown, readRaw, commitFiles } from '../github/repo.js';
 import { branchHeadSha, createBranch, deleteBranch, listBranches } from '../github/branches.js';
 import { PENDING_PREFIX, pendingBranch, parsePendingBranch } from '../content/pending.js';
 import { cachedInstallationToken } from '../github/signing.js';
 import { emptyManifest, manifestEntryFromFile, parseManifest, serializeManifest, upsertEntry, removeEntry, inboundLinks } from '../content/manifest.js';
-import { CommitConflictError } from '../github/types.js';
+import { isConflict } from '../github/types.js';
 import { log } from '../log/index.js';
 import { issueCsrfToken } from './csrf.js';
 /** The signed-in editor the guard resolved, or a login redirect. Kept local to decouple event shapes. */
@@ -112,9 +111,31 @@ export function createContentRoutes(runtime, deps = {}) {
             return { id: file.id, title: file.id, date: null, draft: false, status };
         }
     }
-    /** List a concept's entries with their publish status. Main's files carry `edited` when a
-     *  pending ref exists, else `published`; a ref with no main file appends a `new` row read from
-     *  its branch. A listing failure degrades to an inline error, not a thrown 500. */
+    /** Read an entry's list row from its pending branch, so a pending title or draft change shows
+     *  in the list instead of reading as a lost save. summarize degrades a failed or empty read to
+     *  an id-only row, so a ghost ref still lists. */
+    function pendingRow(concept, id, status, token) {
+        return summarize({ id, path: `${concept.dir}/${filenameFromId(id)}` }, token, status, {
+            ...runtime.backend,
+            branch: pendingBranch(concept.id, id),
+        });
+    }
+    /** The per-file crawl, kept only for a repo with no committed manifest yet: list main's files
+     *  and read each one for its row, with edited and new rows reading branch-first. */
+    async function crawlEntries(concept, pendingIds, token) {
+        const files = await listMarkdown(runtime.backend, concept.dir, token);
+        const entries = await Promise.all(files.map((f) => (pendingIds.has(f.id) ? pendingRow(concept, f.id, 'edited', token) : summarize(f, token, 'published'))));
+        // A ref with no main file is a never-published entry; its row reads from its branch.
+        const listed = new Set(files.map((f) => f.id));
+        const newRows = await Promise.all([...pendingIds].filter((id) => !listed.has(id)).map((id) => pendingRow(concept, id, 'new', token)));
+        return [...entries, ...newRows];
+    }
+    /** List a concept's entries with their publish status. Published rows project straight from
+     *  main's manifest, which publish, delete, and rename keep atomically in sync with main, so
+     *  the listing costs one manifest read plus one branch read per pending entry rather than one
+     *  read per file. A manifest row with a pending ref is `edited` and reads branch-first; a ref
+     *  with no manifest row appends a `new` row read from its branch. A listing failure degrades
+     *  to an inline error, not a thrown 500. */
     async function listLoad(event) {
         sessionOf(event);
         const concept = conceptOf(runtime, event.params);
@@ -130,28 +151,28 @@ export function createContentRoutes(runtime, deps = {}) {
             return { ...base, entries: [], error: 'Could not authenticate with GitHub.' };
         }
         try {
-            const [files, refs] = await Promise.all([
-                listMarkdown(runtime.backend, concept.dir, token),
+            const [manifestRaw, refs] = await Promise.all([
+                readRaw(runtime.backend, runtime.manifestPath, token),
                 listBranches(runtime.backend, `${PENDING_PREFIX}${concept.id}/`, token),
             ]);
             const pendingIds = new Set(refs.flatMap((name) => {
                 const entry = pendingEntryOf(name);
                 return entry && entry.concept.id === concept.id ? [entry.id] : [];
             }));
-            // An edited row reads branch-first like a new row, so a pending title or draft change
-            // shows in the list instead of reading as a lost save.
-            const entries = await Promise.all(files.map((f) => pendingIds.has(f.id)
-                ? summarize(f, token, 'edited', { ...runtime.backend, branch: pendingBranch(concept.id, f.id) })
-                : summarize(f, token, 'published')));
-            // A ref with no main file is a never-published entry; its row reads from its branch, and
-            // summarize already degrades a failed read to an id-only row.
-            const listed = new Set(files.map((f) => f.id));
-            const newRows = await Promise.all([...pendingIds]
-                .filter((id) => !listed.has(id))
-                .map((id) => summarize({ id, path: `${concept.dir}/${filenameFromId(id)}` }, token, 'new', {
-                ...runtime.backend,
-                branch: pendingBranch(concept.id, id),
-            })));
+            // A repo with no committed manifest yet (a fresh site before its first publish) falls back
+            // to the crawl; a manifest that parses but is empty is trusted as-is.
+            if (manifestRaw === null) {
+                return { ...base, entries: await crawlEntries(concept, pendingIds, token), error: null };
+            }
+            // Newest id first, the same order the crawl's file listing produced.
+            const rows = parseManifest(manifestRaw)
+                .entries.filter((e) => e.concept === concept.id)
+                .sort((a, b) => b.id.localeCompare(a.id));
+            const entries = await Promise.all(rows.map((e) => pendingIds.has(e.id)
+                ? pendingRow(concept, e.id, 'edited', token)
+                : { id: e.id, title: e.title, date: e.date ?? null, draft: e.draft, status: 'published' }));
+            const listed = new Set(rows.map((e) => e.id));
+            const newRows = await Promise.all([...pendingIds].filter((id) => !listed.has(id)).map((id) => pendingRow(concept, id, 'new', token)));
             return { ...base, entries: [...entries, ...newRows], error: null };
         }
         catch {
@@ -270,10 +291,6 @@ export function createContentRoutes(runtime, deps = {}) {
             discardedFlash: event.url.searchParams.get('discarded') === '1',
         };
     }
-    /** Match a commit conflict by class and by name (bundling can alias the class identity). */
-    function isConflict(err) {
-        return err instanceof CommitConflictError || err?.name === 'CommitConflictError';
-    }
     /** Log a failed commit: a conflict is the expected last-writer-wins outcome, so it warns with a
      *  reason; any other error is unexpected and logs at error with the stringified cause. Publish
      *  failures carry the same shape under their own event name. */
@@ -338,7 +355,12 @@ export function createContentRoutes(runtime, deps = {}) {
                 draftLinks.push(formatCairnToken(ref));
         }
         if (absent.length) {
-            return fail(400, { brokenLinks: absent, body });
+            const noun = absent.length === 1 ? 'page' : 'pages';
+            return fail(400, {
+                error: `This page links to ${absent.length} missing ${noun}.`,
+                brokenLinks: absent,
+                body,
+            });
         }
         // Ensure the entry's pending branch exists (cut lazily from main's head on first save), then
         // commit only the entry file there. Main stays untouched until publish, so the branch differs
@@ -525,7 +547,11 @@ export function createContentRoutes(runtime, deps = {}) {
         const manifest = await readManifest(token);
         const inbound = inboundLinks(manifest, concept.id, id);
         if (inbound.length) {
-            return fail(409, { inboundLinks: inbound, id });
+            return fail(409, {
+                error: `Cannot delete ${id}: ${inbound.length} ${inbound.length === 1 ? 'page links' : 'pages link'} to it.`,
+                inboundLinks: inbound,
+                id,
+            });
         }
         // When the entry was never published (absent from main), the branch delete is the whole
         // operation; main has nothing to commit, so the only honest log record is the discard of
@@ -593,19 +619,19 @@ export function createContentRoutes(runtime, deps = {}) {
         // Pending edits on the branch are keyed to the old id; renaming underneath them would strand
         // them, so refuse until the editor publishes or discards.
         if ((await branchHeadSha(runtime.backend, pendingBranch(concept.id, id), token)) !== null) {
-            return fail(409, { renameError: 'This entry has unpublished edits. Publish or discard them, then rename.' });
+            return fail(409, { error: 'This entry has unpublished edits. Publish or discard them, then rename.' });
         }
         const form = await event.request.formData();
         const newSlug = String(form.get('slug') ?? '').trim();
         if (!isValidId(newSlug)) {
-            return fail(400, { renameError: 'Enter a valid slug: lowercase letters, numbers, and hyphens.' });
+            return fail(400, { error: 'Enter a valid slug: lowercase letters, numbers, and hyphens.' });
         }
         const datePrefix = concept.routing.dated ? concept.datePrefix : null;
         if (concept.routing.dated && /^\d{4}-/.test(newSlug)) {
-            return fail(400, { renameError: 'Leave the date out of the slug.' });
+            return fail(400, { error: 'Leave the date out of the slug.' });
         }
         if (newSlug === slugFromId(id, datePrefix)) {
-            return fail(400, { renameError: 'That is already the slug.' });
+            return fail(400, { error: 'That is already the slug.' });
         }
         const newId = renameId(id, newSlug, datePrefix);
         const oldPath = `${concept.dir}/${filenameFromId(id)}`;
@@ -615,7 +641,7 @@ export function createContentRoutes(runtime, deps = {}) {
         // concurrent-rename race where another editor renamed onto this path between load and submit.
         const clobber = await readRaw(runtime.backend, newPath, token);
         if (clobber !== null) {
-            return fail(409, { renameError: 'An entry with that slug already exists.' });
+            return fail(409, { error: 'An entry with that slug already exists.' });
         }
         const [entryRaw, manifest] = await Promise.all([
             readRaw(runtime.backend, oldPath, token),

package/dist/sveltekit/guard.js

@@ -6,7 +6,7 @@ import { resolveSession } from '../auth/store.js';
 import { sessionCookieName } from '../auth/crypto.js';
 import { isUnsafeFormRequest, originMatches, validateCsrfToken } from './csrf.js';
 import { applySecurityHeaders } from './admin-response.js';
-import { renderConditionResponse } from './condition-response.js';
+import { renderConditionResponse, REASON_CONDITION } from './condition-response.js';
 import { log } from '../log/index.js';
 /** The login page and the auth endpoints are public; everything else under /admin is gated. */
 function isPublicAdminPath(pathname) {
@@ -49,6 +49,19 @@ export function createAuthGuard() {
             log.warn('guard.rejected', { reason: 'https', path: pathname });
             return renderConditionResponse('edge.https-not-forced', { url: event.url });
         }
+        // No auth store binding means no admin path can work: the gated views cannot resolve a
+        // session, and a login or confirm POST would die in its action with a raw 500. That is an
+        // operator fault, not a sign-in problem, so name the condition on every admin path, the
+        // public ones included, instead of rendering a login form that can never succeed.
+        const env = event.platform?.env ?? {};
+        if (!env.AUTH_DB) {
+            log.error('guard.rejected', {
+                reason: 'bindings',
+                conditionId: REASON_CONDITION.bindings,
+                path: pathname,
+            });
+            return renderConditionResponse(REASON_CONDITION.bindings);
+        }
         // Rule 1 - admin: every unsafe form POST carries a valid double-submit token, else the branded
         // 403 before resolve() runs. This covers the public login/auth posts too.
         if (isUnsafeFormRequest(event.request) && !(await validateCsrfToken(event))) {
@@ -56,9 +69,8 @@ export function createAuthGuard() {
             return renderConditionResponse('auth.csrf-token-invalid');
         }
         if (!isPublicAdminPath(pathname)) {
-            const env = event.platform?.env ?? {};
             const id = event.cookies.get(sessionCookieName(event.url.protocol === 'https:'));
-            const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
+            const editor = id ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
             if (!editor)
                 throw redirect(303, '/admin/login');
             event.locals.editor = editor;

package/dist/sveltekit/https-required-page.js

@@ -4,7 +4,8 @@
 // not match, so the editor would otherwise hit an opaque 403. This page names the problem, says why
 // https is needed, and gives the exact Cloudflare fix. The shared shell lives in
 // static-admin-page.ts. See guard.ts.
-import { escapeHtml, renderStaticAdminPage } from './static-admin-page.js';
+import { escapeHtml } from '../escape.js';
+import { renderStaticAdminPage } from './static-admin-page.js';
 /**
  * Render the full HTML document for the HTTPS-required page.
  * @param httpsUrl The same request rebuilt over https, offered as the one-click recovery link.

package/dist/sveltekit/index.d.ts

@@ -2,9 +2,11 @@ export { createAuthGuard, requireSession, requireOwner } from './guard.js';
 export { createAuthRoutes, type AuthRoutesConfig, type RequestResult } from './auth-routes.js';
 export { createEditorRoutes } from './editors-routes.js';
 export { createContentRoutes } from './content-routes.js';
-export type { NavConcept, LayoutData, EntrySummary, ListData, EditData, ContentEvent, ContentRoutesDeps, } from './content-routes.js';
+export type { NavConcept, LayoutData, EntrySummary, ListData, EditData, ContentEvent, ContentRoutesDeps, SaveFailure, DeleteRefusal, RenameFailure, ContentFormFailure, } from './content-routes.js';
 export { createNavRoutes } from './nav-routes.js';
 export type { NavLoadData, NavPageOption, NavRoutesDeps } from './nav-routes.js';
+export { parseAdminPath, type AdminView } from './admin-dispatch.js';
+export { createCairnAdmin, type CairnAdminDeps, type AdminData } from './cairn-admin.js';
 export { healthLoad, type HealthData } from './health.js';
 export type { RequestContext, CookieJar, HandleInput } from './types.js';
 export type { GithubKeyEnv } from '../github/credentials.js';

package/dist/sveltekit/index.js

@@ -5,4 +5,6 @@ export { createAuthRoutes } from './auth-routes.js';
 export { createEditorRoutes } from './editors-routes.js';
 export { createContentRoutes } from './content-routes.js';
 export { createNavRoutes } from './nav-routes.js';
+export { parseAdminPath } from './admin-dispatch.js';
+export { createCairnAdmin } from './cairn-admin.js';
 export { healthLoad } from './health.js';

package/dist/sveltekit/nav-routes.d.ts

@@ -21,7 +21,9 @@ export interface NavLoadData {
 }
 /** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
 export interface NavRoutesDeps {
-    mintToken?: (env: GithubKeyEnv) => Promise<string>;
+    /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer.
+     *  A bare string works too; the routes await whatever comes back. */
+    mintToken?: (env: GithubKeyEnv) => string | Promise<string>;
 }
 export declare function createNavRoutes(runtime: CairnRuntime, deps?: NavRoutesDeps): {
     navLoad: (event: ContentEvent) => Promise<NavLoadData>;

package/dist/sveltekit/nav-routes.js

@@ -5,7 +5,7 @@ import { redirect, error } from '@sveltejs/kit';
 import { appCredentials } from '../github/credentials.js';
 import { cachedInstallationToken } from '../github/signing.js';
 import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
-import { CommitConflictError } from '../github/types.js';
+import { isConflict } from '../github/types.js';
 import { log } from '../log/index.js';
 import { parseSiteConfig, extractMenu, validateNavTree, setMenu } from '../nav/site-config.js';
 /** The signed-in editor the guard resolved, or a login redirect. */
@@ -15,10 +15,6 @@ function sessionOf(event) {
         throw redirect(303, '/admin/login');
     return editor;
 }
-/** Match a commit conflict by class and by name (bundling can alias the class identity). */
-function isConflict(err) {
-    return err instanceof CommitConflictError || err?.name === 'CommitConflictError';
-}
 export function createNavRoutes(runtime, deps = {}) {
     const mintToken = deps.mintToken ?? ((env) => cachedInstallationToken(appCredentials(runtime.backend, env)));
     /** List page-like concepts (routable, not dated) for the URL picker. Best-effort per concept. */
@@ -51,14 +47,27 @@ export function createNavRoutes(runtime, deps = {}) {
             return { menu, tree: [], pages: [], saved: false, error: 'Could not authenticate with GitHub.' };
         }
         let tree = [];
+        let raw = null;
         try {
-            const raw = await readRaw(runtime.backend, config.configPath, token);
-            if (raw !== null)
-                tree = extractMenu(parseSiteConfig(raw), config.menuName, maxDepth);
+            raw = await readRaw(runtime.backend, config.configPath, token);
         }
         catch {
-            // A malformed or unreadable config degrades to an empty tree; the first save writes a clean menu.
-            tree = [];
+            // An unreadable config degrades to an empty tree; the first save writes a clean menu.
+            raw = null;
+        }
+        if (raw !== null) {
+            try {
+                tree = extractMenu(parseSiteConfig(raw), config.menuName, maxDepth);
+            }
+            catch (err) {
+                // A malformed config keeps the same degrade (the nav page failing closed would be worse
+                // for the editor), but the swallow names the operator fault in the log.
+                log.error('config.invalid', {
+                    conditionId: 'config.site-config-invalid',
+                    error: String(err),
+                });
+                tree = [];
+            }
         }
         return {
             menu,

package/dist/sveltekit/static-admin-page.d.ts

@@ -1,5 +1,3 @@
-/** Escape a string for safe interpolation into HTML text and double-quoted attributes. */
-export declare function escapeHtml(value: string): string;
 /**
  * Render a full self-contained admin page document. The caller supplies trusted inner HTML
  * (eyebrow, heading, copy, CTA); the helper owns the head, the inlined style, the brand tile,

package/dist/sveltekit/static-admin-page.js

@@ -2,14 +2,7 @@
 // self-contained document with inlined Warm Stone tokens for both colour schemes and the system
 // font stack, served raw before SvelteKit renders. The cairn glyph is the same public-domain
 // Temaki mark the admin chrome uses. See docs/internal/admin-design-system.md.
-/** Escape a string for safe interpolation into HTML text and double-quoted attributes. */
-export function escapeHtml(value) {
-    return value
-        .replace(/&/g, '&')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;');
-}
+import { escapeHtml } from '../escape.js';
 // The cairn stone-stack glyph (Temaki, CC0), drawn in currentColor like CairnLogo.svelte.
 const CAIRN_GLYPH = '<path d="M6.28 14C5.56 14 1 13.89 1 12.91C1 11.46 2.16 11.07 3.2 10.81C4.36 10.51 13.18 9.77 ' +
     '13.76 10.07C14.46 10.43 13.52 12.49 12.44 12.77C11.28 13.07 10.21 14 8.48 14C7.05 14 9.69 14 ' +

package/dist/sveltekit/types.d.ts

@@ -13,22 +13,29 @@ export interface CookieJar {
         path: string;
     }): void;
 }
-export interface RequestContext {
+/** The Cloudflare platform wrapper an event carries; `context` is the legacy alias for `ctx`. */
+export interface PlatformContext<Env> {
+    env?: Env;
+    ctx?: {
+        waitUntil(promise: Promise<unknown>): void;
+    };
+    context?: {
+        waitUntil(promise: Promise<unknown>): void;
+    };
+}
+/** The structural core every engine event type extends, parameterized by the Worker env the
+ *  surface reads. Each shared field is defined once here; the extensions add only what their
+ *  surface needs (cookies, params, setHeaders). */
+export interface EventBase<Env> {
     url: URL;
     request: Request;
-    cookies: CookieJar;
     locals: {
         editor?: Editor | null;
     };
-    platform?: {
-        env?: AuthEnv;
-        ctx?: {
-            waitUntil(promise: Promise<unknown>): void;
-        };
-        context?: {
-            waitUntil(promise: Promise<unknown>): void;
-        };
-    };
+    platform?: PlatformContext<Env>;
+}
+export interface RequestContext extends EventBase<AuthEnv> {
+    cookies: CookieJar;
     setHeaders(headers: Record<string, string>): void;
 }
 export interface HandleInput {