@glw907/cairn-cms 0.41.0 → 0.51.0

package/src/lib/sveltekit/cairn-admin.ts

@@ -0,0 +1,177 @@
+// The single-mount admin facade. One factory closes over the composed runtime, instantiates
+// the existing per-surface route factories (auth, content, editors, nav), and serves every
+// admin view through the one load and one actions record a site's catch-all /admin/[...path]
+// route exports. The path authority is admin-dispatch's parseAdminPath; this module only maps
+// each view to the wrapped load it delegates to, and each named action validates that the
+// parsed view supports it before delegating to the same wrapped factories.
+import { error } from '@sveltejs/kit';
+import { parseAdminPath, type AdminView } from './admin-dispatch.js';
+import { createAuthRoutes } from './auth-routes.js';
+import {
+  createContentRoutes,
+  type ContentEvent,
+  type ContentRoutesDeps,
+  type LayoutData,
+  type ListData,
+  type EditData,
+} from './content-routes.js';
+import { createEditorRoutes } from './editors-routes.js';
+import { createNavRoutes, type NavLoadData } from './nav-routes.js';
+import type { AuthBranding, SendMagicLink } from '../email.js';
+import type { AuthEnv, Editor } from '../auth/types.js';
+import type { GithubKeyEnv } from '../github/credentials.js';
+import type { CairnRuntime } from '../content/types.js';
+import type { CookieJar, EventBase } from './types.js';
+
+/**
+ * The structural event the single-mount load reads: the union of what the wrapped loads need
+ * (ContentEvent minus params, which the dispatcher synthesizes, plus RequestContext's cookies
+ * and setHeaders). A real SvelteKit RequestEvent satisfies it.
+ */
+export interface AdminEvent extends EventBase<GithubKeyEnv & AuthEnv> {
+  cookies: CookieJar;
+  setHeaders(headers: Record<string, string>): void;
+}
+
+/** Injectable dependencies. Branding defaults from the runtime's siteName and sender, so a
+ *  site overrides it only to change the magic-link email identity; `send` and `mintToken`
+ *  are the same seams the underlying factories take. */
+export interface CairnAdminDeps {
+  branding?: AuthBranding;
+  send?: SendMagicLink;
+  mintToken?: ContentRoutesDeps['mintToken'];
+}
+
+/**
+ * One admin view's data, discriminated for the admin page component's switch. The public
+ * views (login, confirm) carry no layout; every authed view pairs the shared layout with its
+ * page data, the same shapes the per-surface loads have always returned.
+ */
+export type AdminData =
+  | { view: 'login'; page: { siteName: string; error: string | null; csrf: string } }
+  | { view: 'confirm'; page: { token: string; siteName: string; error: string | null; csrf: string } }
+  | { view: 'list'; layout: LayoutData; page: ListData }
+  | { view: 'edit'; layout: LayoutData; page: EditData }
+  | { view: 'editors'; layout: LayoutData; page: { editors: Editor[]; self: string } }
+  | { view: 'nav'; layout: LayoutData; page: NavLoadData };
+
+export function createCairnAdmin(runtime: CairnRuntime, deps: CairnAdminDeps = {}) {
+  // The runtime already composes the site name and the sender identity, so the magic-link
+  // branding needs no second copy of either unless a site overrides it.
+  const branding: AuthBranding = deps.branding ?? {
+    siteName: runtime.siteName,
+    from: runtime.sender.from,
+    replyTo: runtime.sender.replyTo,
+  };
+  const auth = createAuthRoutes({ branding, send: deps.send });
+  const content = createContentRoutes(runtime, { mintToken: deps.mintToken });
+  const editors = createEditorRoutes();
+  // The nav surface exists only when the site configures a menu; without one its view is a 404.
+  const nav = runtime.navMenu ? createNavRoutes(runtime, { mintToken: deps.mintToken }) : null;
+
+  /** Build the event a wrapped content load reads. The catch-all route carries only a rest
+   *  param, so `concept` and `id` are synthesized from the parsed view. The override names
+   *  each field explicitly rather than spreading: a real RequestEvent's fields can sit behind
+   *  getters a bare spread copies poorly, and the structural ContentEvent contract needs only
+   *  these. */
+  function contentEvent(event: AdminEvent, params: Record<string, string>): ContentEvent {
+    return {
+      url: event.url,
+      params,
+      request: event.request,
+      locals: event.locals,
+      platform: event.platform,
+      cookies: event.cookies,
+    };
+  }
+
+  /** Serve the admin view the pathname names, or a 404 for any shape the parser refuses.
+   *  The authed views run the layout load and the view load concurrently; both mint a GitHub
+   *  token, and the installation-token cache coalesces the mints into one signing. */
+  async function load(event: AdminEvent): Promise<AdminData> {
+    const view = parseAdminPath(event.url.pathname, runtime.concepts);
+    if (!view) throw error(404, 'Not found');
+    switch (view.view) {
+      case 'index':
+        return content.indexRedirect();
+      case 'login':
+        return { view: 'login', page: auth.loginLoad(event) };
+      case 'confirm':
+        return { view: 'confirm', page: auth.confirmLoad(event) };
+      case 'list': {
+        const delegated = contentEvent(event, { concept: view.concept.id });
+        const [layout, page] = await Promise.all([content.layoutLoad(delegated), content.listLoad(delegated)]);
+        return { view: 'list', layout, page };
+      }
+      case 'edit': {
+        const delegated = contentEvent(event, { concept: view.concept.id, id: view.id });
+        const [layout, page] = await Promise.all([content.layoutLoad(delegated), content.editLoad(delegated)]);
+        return { view: 'edit', layout, page };
+      }
+      case 'editors': {
+        // editorsLoad gates itself with requireOwner, so the dispatcher adds no second gate.
+        const [layout, page] = await Promise.all([
+          content.layoutLoad(contentEvent(event, {})),
+          editors.editorsLoad(event),
+        ]);
+        return { view: 'editors', layout, page };
+      }
+      case 'nav': {
+        if (!nav) throw error(404, 'Not found');
+        const delegated = contentEvent(event, {});
+        const [layout, page] = await Promise.all([content.layoutLoad(delegated), nav.navLoad(delegated)]);
+        return { view: 'nav', layout, page };
+      }
+    }
+  }
+
+  /** Wrap a delegate in the parse-and-check every action shares: parse the pathname exactly
+   *  as load does, 404 on a null parse or a view outside the allowed set, then hand the
+   *  narrowed view to the delegate. */
+  function viewAction<V extends AdminView['view'], R>(
+    allowed: readonly V[],
+    delegate: (event: AdminEvent, view: Extract<AdminView, { view: V }>) => Promise<R>,
+  ): (event: AdminEvent) => Promise<R> {
+    return async (event) => {
+      const view = parseAdminPath(event.url.pathname, runtime.concepts);
+      if (!view || !(allowed as readonly string[]).includes(view.view)) throw error(404, 'Not found');
+      // The includes check above proves the membership the cast asserts.
+      return delegate(event, view as Extract<AdminView, { view: V }>);
+    };
+  }
+
+  // The topbar posts publishAll from every authed admin page; login and confirm may not.
+  const authedViews = ['list', 'edit', 'editors', 'nav'] as const;
+  // An editor signs out from wherever they are, so logout accepts any parsed view.
+  const anyView = ['index', 'login', 'confirm', 'list', 'edit', 'editors', 'nav'] as const;
+
+  /** The full admin action vocabulary, one named async function per action, so a site's
+   *  catch-all route exports `admin.actions` directly. Each wrapper stays thin: parse,
+   *  validate the view, synthesize the params the wrapped action reads, delegate. The
+   *  editor actions gate themselves with requireOwner, so no second gate is added here. */
+  const actions = {
+    request: viewAction(['login'], (event) => auth.requestAction(event)),
+    confirm: viewAction(['confirm'], (event) => auth.confirmAction(event)),
+    logout: viewAction(anyView, (event) => auth.logoutAction(event)),
+    create: viewAction(['list'], (event, view) => content.createAction(contentEvent(event, { concept: view.concept.id }))),
+    save: viewAction(['edit', 'nav'], (event, view) => {
+      if (view.view === 'edit') return content.saveAction(contentEvent(event, { concept: view.concept.id, id: view.id }));
+      if (!nav) throw error(404, 'Not found');
+      return nav.navSave(contentEvent(event, {}));
+    }),
+    publish: viewAction(['edit'], (event, view) => content.publishAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+    discard: viewAction(['edit'], (event, view) => content.discardAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+    rename: viewAction(['edit'], (event, view) => content.renameAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+    delete: viewAction(['edit', 'list'], (event, view) =>
+      view.view === 'edit'
+        ? content.deleteAction(contentEvent(event, { concept: view.concept.id, id: view.id }))
+        : content.listDeleteAction(contentEvent(event, { concept: view.concept.id })),
+    ),
+    publishAll: viewAction(authedViews, (event) => content.publishAllAction(contentEvent(event, {}))),
+    addEditor: viewAction(['editors'], (event) => editors.addEditorAction(event)),
+    removeEditor: viewAction(['editors'], (event) => editors.removeEditorAction(event)),
+    setRole: viewAction(['editors'], (event) => editors.setRoleAction(event)),
+  };
+
+  return { load, actions };
+}

package/src/lib/sveltekit/condition-response.ts

@@ -4,15 +4,38 @@
 import { brandedAdminPage } from './admin-response.js';
 import { httpsRequiredPage } from './https-required-page.js';
 import { csrfRequiredPage } from './csrf-required-page.js';
-import { condition } from '../diagnostics/index.js';
+import { escapeHtml } from '../escape.js';
+import { renderStaticAdminPage } from './static-admin-page.js';
+import { condition, type CairnCondition } from '../diagnostics/index.js';
 
 /** The guard.rejected reasons, each mapped to its registered condition id. */
 export const REASON_CONDITION = {
   https: 'edge.https-not-forced',
   csrf: 'auth.csrf-token-invalid',
   origin: 'auth.csrf-origin-mismatch',
+  bindings: 'config.bindings-missing',
 } as const;
 
+/**
+ * A branded page for an operator fault, built straight from the registered condition's fields so
+ * the served copy, the doctor's report, and the readiness checklist say the same thing.
+ */
+function conditionFaultPage(cond: CairnCondition): string {
+  const inner = `
+  <span class="eyebrow">
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3Z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg>
+    Site setup required
+  </span>
+  <h1>${escapeHtml(cond.title)}</h1>
+  <p>${escapeHtml(cond.why)}</p>
+
+  <div class="fix">
+    <h2>If you run this site</h2>
+    <p>${escapeHtml(cond.remediation)}</p>
+  </div>`;
+  return renderStaticAdminPage({ title: `${cond.title} · Cairn`, innerHtml: inner });
+}
+
 export type GuardReason = keyof typeof REASON_CONDITION;
 
 /** Render the Response the guard serves for a rejection, by its condition id. */
@@ -32,6 +55,9 @@ export function renderConditionResponse(id: string, ctx: { url?: URL } = {}): Re
         status: 403,
         headers: { 'Content-Type': 'text/plain; charset=utf-8' },
       });
+    case REASON_CONDITION.bindings:
+      // An operator fault, not a request fault: the Worker deployed without its bindings.
+      return brandedAdminPage(500, conditionFaultPage(condition(id)));
     default:
       throw new Error(`no runtime renderer for condition: ${id}`);
   }

package/src/lib/sveltekit/content-routes.ts

@@ -4,21 +4,21 @@
 // email `send` injection in auth-routes. A shim stays one line: `export const load = routes.editLoad`.
 import { redirect, error, fail } from '@sveltejs/kit';
 import { findConcept } from '../content/concepts.js';
-import { extractCairnLinks, formatCairnToken } from '../content/links.js';
+import { extractCairnLinks, formatCairnToken, rewriteCairnLink } from '../content/links.js';
 import { frontmatterFromForm, parseMarkdown, dateInputValue, serializeMarkdown } from '../content/frontmatter.js';
 import { isValidId, slugify, filenameFromId, composeDatedId, slugFromId, renameId } from '../content/ids.js';
-import { rewriteCairnLink } from '../components/markdown-format.js';
 import { appCredentials, type GithubKeyEnv } from '../github/credentials.js';
 import { listMarkdown, readRaw, commitFiles, type FileChange } from '../github/repo.js';
 import { branchHeadSha, createBranch, deleteBranch, listBranches } from '../github/branches.js';
 import { PENDING_PREFIX, pendingBranch, parsePendingBranch } from '../content/pending.js';
 import { cachedInstallationToken } from '../github/signing.js';
 import { emptyManifest, manifestEntryFromFile, parseManifest, serializeManifest, upsertEntry, removeEntry, inboundLinks, type Manifest, type LinkTarget, type InboundLink } from '../content/manifest.js';
-import { CommitConflictError } from '../github/types.js';
+import { isConflict } from '../github/types.js';
 import { log } from '../log/index.js';
 import { issueCsrfToken } from './csrf.js';
-import type { CookieJar } from './types.js';
-import type { CairnRuntime, ConceptDescriptor, FrontmatterField } from '../content/types.js';
+import { requireSession } from './guard.js';
+import type { CookieJar, EventBase } from './types.js';
+import type { CairnRuntime, ConceptDescriptor, FrontmatterField, PreviewConfig, ResolvedPreview } from '../content/types.js';
 import type { Editor, Role } from '../auth/types.js';
 
 /** A sidebar concept entry: just enough to render the nav without shipping validators to the client. */
@@ -101,15 +101,15 @@ export interface EditData {
   publishedFlash: boolean;
   /** True after a discard redirect (`?discarded=1`), for the confirmation strip. */
   discardedFlash: boolean;
+  /** The adapter's preview knob resolved for this entry's concept (its `byConcept` override,
+   *  when one exists, applied over the top-level values); null when the site sets none, which
+   *  leaves the frame rendering unstyled markup behind a hint. */
+  preview: ResolvedPreview | null;
 }
 
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
-export interface ContentEvent {
-  url: URL;
+export interface ContentEvent extends EventBase<GithubKeyEnv> {
   params: Record<string, string>;
-  request: Request;
-  locals: { editor?: Editor | null };
-  platform?: { env?: GithubKeyEnv };
   /** SvelteKit's cookie jar. The layout load reads the persisted admin theme and issues the CSRF
    *  token. Optional for non-route callers. */
   cookies?: CookieJar;
@@ -117,15 +117,53 @@ export interface ContentEvent {
 
 /** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
 export interface ContentRoutesDeps {
-  /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer. */
-  mintToken?: (env: GithubKeyEnv) => Promise<string>;
+  /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer.
+   *  A bare string works too; the routes await whatever comes back. */
+  mintToken?: (env: GithubKeyEnv) => string | Promise<string>;
 }
 
-/** The signed-in editor the guard resolved, or a login redirect. Kept local to decouple event shapes. */
-function sessionOf(event: ContentEvent): Editor {
-  const editor = event.locals.editor;
-  if (!editor) throw redirect(303, '/admin/login');
-  return editor;
+/** A blocked save or publish: `fail(400)` when the body links to a target absent from main. */
+export interface SaveFailure {
+  /** The one-line human summary every content action failure carries. */
+  error: string;
+  /** The cairn tokens that resolve to no entry, for the editor's fix-it banner. */
+  brokenLinks: string[];
+  /** The author's edited markdown, so the editor reseeds with the unsaved work. */
+  body: string;
+}
+
+/** A refused delete: `fail(409)` while other entries still link to this one. */
+export interface DeleteRefusal {
+  /** The one-line human summary every content action failure carries. */
+  error: string;
+  /** The entries whose bodies link to the refused one, for the blockers list. */
+  inboundLinks: InboundLink[];
+  /** The refused entry's id, so a list view marks the right row. */
+  id: string;
+}
+
+/** A refused rename: `fail(400)` on a bad slug, `fail(409)` on a collision or pending edits. */
+export interface RenameFailure {
+  /** The one-line human summary every content action failure carries. */
+  error: string;
+}
+
+/** What a route's single `form` export presents to a view component: whichever content action
+ *  last failed, merged with every field optional. `error` is always set on a failure; the richer
+ *  keys identify which guard refused. */
+export type ContentFormFailure = Partial<SaveFailure & DeleteRefusal & RenameFailure>;
+
+/** Resolve the effective preview for one concept: its `byConcept` override wins per key, with
+ *  nullish coalescing so an override key that is present but undefined keeps the top-level value.
+ *  Stylesheets are always shared, and the `byConcept` map never reaches the client. */
+function resolvePreview(preview: PreviewConfig | undefined, conceptId: string): ResolvedPreview | null {
+  if (!preview) return null;
+  const override = preview.byConcept?.[conceptId];
+  return {
+    stylesheets: preview.stylesheets,
+    bodyClass: override?.bodyClass ?? preview.bodyClass,
+    containerClass: override?.containerClass ?? preview.containerClass,
+  };
 }
 
 /** Look up the concept named by the `[concept]` route param, or a 404. */
@@ -161,7 +199,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
   /** Layout load for every admin page: the nav, the user, the active path, the resolved theme,
    *  and the pending entries behind the topbar's publish-all action. */
   async function layoutLoad(event: ContentEvent): Promise<LayoutData> {
-    const editor = sessionOf(event);
+    const editor = requireSession(event);
     const cookieTheme = event.cookies?.get('cairn-admin-theme');
     const theme = cookieTheme === 'cairn-admin-dark' ? 'cairn-admin-dark' : 'cairn-admin';
     const cookieCollapsed = event.cookies?.get('cairn-admin-nav-collapsed');
@@ -223,11 +261,39 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     }
   }
 
-  /** List a concept's entries with their publish status. Main's files carry `edited` when a
-   *  pending ref exists, else `published`; a ref with no main file appends a `new` row read from
-   *  its branch. A listing failure degrades to an inline error, not a thrown 500. */
+  /** Read an entry's list row from its pending branch, so a pending title or draft change shows
+   *  in the list instead of reading as a lost save. summarize degrades a failed or empty read to
+   *  an id-only row, so a ghost ref still lists. */
+  function pendingRow(concept: ConceptDescriptor, id: string, status: EntrySummary['status'], token: string): Promise<EntrySummary> {
+    return summarize({ id, path: `${concept.dir}/${filenameFromId(id)}` }, token, status, {
+      ...runtime.backend,
+      branch: pendingBranch(concept.id, id),
+    });
+  }
+
+  /** The per-file crawl, kept only for a repo with no committed manifest yet: list main's files
+   *  and read each one for its row, with edited and new rows reading branch-first. */
+  async function crawlEntries(concept: ConceptDescriptor, pendingIds: Set<string>, token: string): Promise<EntrySummary[]> {
+    const files = await listMarkdown(runtime.backend, concept.dir, token);
+    const entries = await Promise.all(
+      files.map((f) => (pendingIds.has(f.id) ? pendingRow(concept, f.id, 'edited', token) : summarize(f, token, 'published'))),
+    );
+    // A ref with no main file is a never-published entry; its row reads from its branch.
+    const listed = new Set(files.map((f) => f.id));
+    const newRows = await Promise.all(
+      [...pendingIds].filter((id) => !listed.has(id)).map((id) => pendingRow(concept, id, 'new', token)),
+    );
+    return [...entries, ...newRows];
+  }
+
+  /** List a concept's entries with their publish status. Published rows project straight from
+   *  main's manifest, which publish, delete, and rename keep atomically in sync with main, so
+   *  the listing costs one manifest read plus one branch read per pending entry rather than one
+   *  read per file. A manifest row with a pending ref is `edited` and reads branch-first; a ref
+   *  with no manifest row appends a `new` row read from its branch. A listing failure degrades
+   *  to an inline error, not a thrown 500. */
   async function listLoad(event: ContentEvent): Promise<ListData> {
-    sessionOf(event);
+    requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const formError = event.url.searchParams.get('error');
     const publishedAllRaw = event.url.searchParams.get('publishedAll');
@@ -240,8 +306,8 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       return { ...base, entries: [], error: 'Could not authenticate with GitHub.' };
     }
     try {
-      const [files, refs] = await Promise.all([
-        listMarkdown(runtime.backend, concept.dir, token),
+      const [manifestRaw, refs] = await Promise.all([
+        readRaw(runtime.backend, runtime.manifestPath, token),
         listBranches(runtime.backend, `${PENDING_PREFIX}${concept.id}/`, token),
       ]);
       const pendingIds = new Set(
@@ -250,27 +316,25 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
           return entry && entry.concept.id === concept.id ? [entry.id] : [];
         }),
       );
-      // An edited row reads branch-first like a new row, so a pending title or draft change
-      // shows in the list instead of reading as a lost save.
+      // A repo with no committed manifest yet (a fresh site before its first publish) falls back
+      // to the crawl; a manifest that parses but is empty is trusted as-is.
+      if (manifestRaw === null) {
+        return { ...base, entries: await crawlEntries(concept, pendingIds, token), error: null };
+      }
+      // Newest id first, the same order the crawl's file listing produced.
+      const rows = parseManifest(manifestRaw)
+        .entries.filter((e) => e.concept === concept.id)
+        .sort((a, b) => b.id.localeCompare(a.id));
       const entries = await Promise.all(
-        files.map((f) =>
-          pendingIds.has(f.id)
-            ? summarize(f, token, 'edited', { ...runtime.backend, branch: pendingBranch(concept.id, f.id) })
-            : summarize(f, token, 'published'),
+        rows.map((e) =>
+          pendingIds.has(e.id)
+            ? pendingRow(concept, e.id, 'edited', token)
+            : { id: e.id, title: e.title, date: e.date ?? null, draft: e.draft, status: 'published' as const },
         ),
       );
-      // A ref with no main file is a never-published entry; its row reads from its branch, and
-      // summarize already degrades a failed read to an id-only row.
-      const listed = new Set(files.map((f) => f.id));
+      const listed = new Set(rows.map((e) => e.id));
       const newRows = await Promise.all(
-        [...pendingIds]
-          .filter((id) => !listed.has(id))
-          .map((id) =>
-            summarize({ id, path: `${concept.dir}/${filenameFromId(id)}` }, token, 'new', {
-              ...runtime.backend,
-              branch: pendingBranch(concept.id, id),
-            }),
-          ),
+        [...pendingIds].filter((id) => !listed.has(id)).map((id) => pendingRow(concept, id, 'new', token)),
       );
       return { ...base, entries: [...entries, ...newRows], error: null };
     } catch {
@@ -280,7 +344,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
 
   /** Create a new entry: validate the slug, compose a dated id when the concept is dated, refuse to clobber. */
   async function createAction(event: ContentEvent): Promise<never> {
-    sessionOf(event);
+    requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const form = await event.request.formData();
     const slug = String(form.get('slug') ?? '').trim() || slugify(String(form.get('title') ?? ''));
@@ -325,7 +389,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
 
   /** Open a file for editing. A `?new=1` miss yields a blank document; any other miss is a 404. */
   async function editLoad(event: ContentEvent): Promise<EditData> {
-    sessionOf(event);
+    requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const id = event.params.id ?? '';
     if (!isValidId(id)) throw error(400, 'Invalid entry id');
@@ -387,14 +451,10 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       published,
       publishedFlash: event.url.searchParams.get('published') === '1',
       discardedFlash: event.url.searchParams.get('discarded') === '1',
+      preview: resolvePreview(runtime.preview, concept.id),
     };
   }
 
-  /** Match a commit conflict by class and by name (bundling can alias the class identity). */
-  function isConflict(err: unknown): boolean {
-    return err instanceof CommitConflictError || (err as { name?: string } | null)?.name === 'CommitConflictError';
-  }
-
   /** Log a failed commit: a conflict is the expected last-writer-wins outcome, so it warns with a
    *  reason; any other error is unexpected and logs at error with the stringified cause. Publish
    *  failures carry the same shape under their own event name. */
@@ -492,7 +552,12 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
       else if (target.draft) draftLinks.push(formatCairnToken(ref));
     }
     if (absent.length) {
-      return fail(400, { brokenLinks: absent, body });
+      const noun = absent.length === 1 ? 'page' : 'pages';
+      return fail(400, {
+        error: `This page links to ${absent.length} missing ${noun}.`,
+        brokenLinks: absent,
+        body,
+      } satisfies SaveFailure);
     }
 
     // Ensure the entry's pending branch exists (cut lazily from main's head on first save), then
@@ -525,7 +590,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
   /** Save an edit: validate, then commit to the entry's pending branch with the session editor
    *  as author. Main and its manifest stay untouched until publish. Fails safe on 409. */
   async function saveAction(event: ContentEvent): Promise<ReturnType<typeof fail> | never> {
-    const editor = sessionOf(event);
+    const editor = requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const id = event.params.id ?? '';
     // Confine the commit path to the concept dir, built from a validated id (the App token can
@@ -546,7 +611,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
    *  The branch is deleted only when its head still matches the commit this action made; a
    *  concurrent save moved it, so the entry stays pending and the next publish picks it up. */
   async function publishAction(event: ContentEvent): Promise<ReturnType<typeof fail> | never> {
-    const editor = sessionOf(event);
+    const editor = requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const id = event.params.id ?? '';
     if (!isValidId(id)) throw error(400, 'Invalid entry id');
@@ -585,7 +650,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
    *  Mounted on the concept list shim, but the topbar posts here from anywhere, so the route's
    *  concept param is ignored and the redirect lands on the first configured concept. */
   async function publishAllAction(event: ContentEvent): Promise<never> {
-    const editor = sessionOf(event);
+    const editor = requireSession(event);
     const first = runtime.concepts[0];
     if (!first) throw error(404, 'No content types configured');
     const token = await mintToken(event.platform?.env ?? {});
@@ -672,7 +737,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
   /** Discard an entry's pending edits: delete the branch (tolerant of already-gone) and return to
    *  the edit page when the entry lives on main, else to the list (the entry is gone entirely). */
   async function discardAction(event: ContentEvent): Promise<never> {
-    const editor = sessionOf(event);
+    const editor = requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const id = event.params.id ?? '';
     if (!isValidId(id)) throw error(400, 'Invalid entry id');
@@ -705,7 +770,11 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     const manifest = await readManifest(token);
     const inbound = inboundLinks(manifest, concept.id, id);
     if (inbound.length) {
-      return fail(409, { inboundLinks: inbound, id });
+      return fail(409, {
+        error: `Cannot delete ${id}: ${inbound.length} ${inbound.length === 1 ? 'page links' : 'pages link'} to it.`,
+        inboundLinks: inbound,
+        id,
+      } satisfies DeleteRefusal);
     }
 
     // When the entry was never published (absent from main), the branch delete is the whole
@@ -749,7 +818,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
 
   /** Delete an entry from its editor. The id comes from the route param. */
   async function deleteAction(event: ContentEvent): Promise<ReturnType<typeof fail> | never> {
-    const editor = sessionOf(event);
+    const editor = requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const id = event.params.id ?? '';
     if (!isValidId(id)) throw error(400, 'Invalid entry id');
@@ -758,7 +827,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
 
   /** Delete an entry from the concept list. The id comes from the form body. */
   async function listDeleteAction(event: ContentEvent): Promise<ReturnType<typeof fail> | never> {
-    const editor = sessionOf(event);
+    const editor = requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const form = await event.request.formData();
     const id = String(form.get('id') ?? '');
@@ -771,7 +840,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
    *  are the authoritative gate. The same last-writer-wins manifest race as save and delete applies,
    *  caught by the build's fail-closed backstop. */
   async function renameAction(event: ContentEvent): Promise<ReturnType<typeof fail> | never> {
-    const editor = sessionOf(event);
+    const editor = requireSession(event);
     const concept = conceptOf(runtime, event.params);
     const id = event.params.id ?? '';
     if (!isValidId(id)) throw error(400, 'Invalid entry id');
@@ -780,20 +849,20 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     // Pending edits on the branch are keyed to the old id; renaming underneath them would strand
     // them, so refuse until the editor publishes or discards.
     if ((await branchHeadSha(runtime.backend, pendingBranch(concept.id, id), token)) !== null) {
-      return fail(409, { renameError: 'This entry has unpublished edits. Publish or discard them, then rename.' });
+      return fail(409, { error: 'This entry has unpublished edits. Publish or discard them, then rename.' } satisfies RenameFailure);
     }
 
     const form = await event.request.formData();
     const newSlug = String(form.get('slug') ?? '').trim();
     if (!isValidId(newSlug)) {
-      return fail(400, { renameError: 'Enter a valid slug: lowercase letters, numbers, and hyphens.' });
+      return fail(400, { error: 'Enter a valid slug: lowercase letters, numbers, and hyphens.' } satisfies RenameFailure);
     }
     const datePrefix = concept.routing.dated ? concept.datePrefix : null;
     if (concept.routing.dated && /^\d{4}-/.test(newSlug)) {
-      return fail(400, { renameError: 'Leave the date out of the slug.' });
+      return fail(400, { error: 'Leave the date out of the slug.' } satisfies RenameFailure);
     }
     if (newSlug === slugFromId(id, datePrefix)) {
-      return fail(400, { renameError: 'That is already the slug.' });
+      return fail(400, { error: 'That is already the slug.' } satisfies RenameFailure);
     }
     const newId = renameId(id, newSlug, datePrefix);
     const oldPath = `${concept.dir}/${filenameFromId(id)}`;
@@ -804,7 +873,7 @@ export function createContentRoutes(runtime: CairnRuntime, deps: ContentRoutesDe
     // concurrent-rename race where another editor renamed onto this path between load and submit.
     const clobber = await readRaw(runtime.backend, newPath, token);
     if (clobber !== null) {
-      return fail(409, { renameError: 'An entry with that slug already exists.' });
+      return fail(409, { error: 'An entry with that slug already exists.' } satisfies RenameFailure);
     }
 
     const [entryRaw, manifest] = await Promise.all([

package/src/lib/sveltekit/guard.ts

@@ -6,7 +6,7 @@ import { resolveSession } from '../auth/store.js';
 import { sessionCookieName } from '../auth/crypto.js';
 import { isUnsafeFormRequest, originMatches, validateCsrfToken } from './csrf.js';
 import { applySecurityHeaders } from './admin-response.js';
-import { renderConditionResponse } from './condition-response.js';
+import { renderConditionResponse, REASON_CONDITION } from './condition-response.js';
 import { log } from '../log/index.js';
 import type { Editor } from '../auth/types.js';
 import type { HandleInput, RequestContext } from './types.js';
@@ -60,6 +60,20 @@ export function createAuthGuard() {
       return renderConditionResponse('edge.https-not-forced', { url: event.url });
     }
 
+    // No auth store binding means no admin path can work: the gated views cannot resolve a
+    // session, and a login or confirm POST would die in its action with a raw 500. That is an
+    // operator fault, not a sign-in problem, so name the condition on every admin path, the
+    // public ones included, instead of rendering a login form that can never succeed.
+    const env = event.platform?.env ?? {};
+    if (!env.AUTH_DB) {
+      log.error('guard.rejected', {
+        reason: 'bindings',
+        conditionId: REASON_CONDITION.bindings,
+        path: pathname,
+      });
+      return renderConditionResponse(REASON_CONDITION.bindings);
+    }
+
     // Rule 1 - admin: every unsafe form POST carries a valid double-submit token, else the branded
     // 403 before resolve() runs. This covers the public login/auth posts too.
     if (isUnsafeFormRequest(event.request) && !(await validateCsrfToken(event))) {
@@ -68,9 +82,8 @@ export function createAuthGuard() {
     }
 
     if (!isPublicAdminPath(pathname)) {
-      const env = event.platform?.env ?? {};
       const id = event.cookies.get(sessionCookieName(event.url.protocol === 'https:'));
-      const editor = id && env.AUTH_DB ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
+      const editor = id ? await resolveSession(env.AUTH_DB, id, Date.now()) : null;
       if (!editor) throw redirect(303, '/admin/login');
       event.locals.editor = editor;
     }
@@ -80,8 +93,10 @@ export function createAuthGuard() {
   };
 }
 
-/** For a protected load/action: the session the guard already resolved, or a login redirect. */
-export function requireSession(event: RequestContext): Editor {
+/** For a protected load/action: the session the guard already resolved, or a login redirect.
+ *  The parameter is the minimal structural need (just `locals`), so every engine event shape
+ *  (RequestContext, the content routes' ContentEvent) and a real RequestEvent all satisfy it. */
+export function requireSession(event: { locals: { editor?: Editor | null } }): Editor {
   const editor = event.locals.editor;
   if (!editor) throw redirect(303, '/admin/login');
   return editor;