@glw907/cairn-cms 0.5.0 → 0.6.0-rc.0

package/dist/auth/crypto.d.ts

@@ -0,0 +1,13 @@
+/** The session cookie name. */
+export declare const COOKIE_NAME = "cairn_session";
+/** Magic-link tokens live 10 minutes. */
+export declare const TOKEN_TTL_MS: number;
+/** Sessions live 30 days. */
+export declare const SESSION_TTL_MS: number;
+/** A fresh 256-bit magic-link token, url-safe. */
+export declare function generateToken(): string;
+/** A fresh 256-bit session id, url-safe. */
+export declare function generateSessionId(): string;
+/** The lowercase hex SHA-256 of a token, for storage and lookup. */
+export declare function hashToken(token: string): Promise<string>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/auth/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/lib/auth/crypto.ts"],"names":[],"mappings":"AAIA,+BAA+B;AAC/B,eAAO,MAAM,WAAW,kBAAkB,CAAC;AAE3C,yCAAyC;AACzC,eAAO,MAAM,YAAY,QAAiB,CAAC;AAE3C,6BAA6B;AAC7B,eAAO,MAAM,cAAc,QAA2B,CAAC;AAUvD,kDAAkD;AAClD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,4CAA4C;AAC5C,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,oEAAoE;AACpE,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI9D"}

package/dist/auth/crypto.js

@@ -0,0 +1,31 @@
+// Token and session-id generation plus SHA-256 token hashing, on Web Crypto so the
+// code runs unchanged in workerd. The store keeps only the hash of a token, never the
+// token itself (spec 7.1).
+/** The session cookie name. */
+export const COOKIE_NAME = 'cairn_session';
+/** Magic-link tokens live 10 minutes. */
+export const TOKEN_TTL_MS = 10 * 60 * 1000;
+/** Sessions live 30 days. */
+export const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000;
+function randomBase64Url(byteLength = 32) {
+    const bytes = new Uint8Array(byteLength);
+    crypto.getRandomValues(bytes);
+    let binary = '';
+    for (const b of bytes)
+        binary += String.fromCharCode(b);
+    return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replaceAll('=', '');
+}
+/** A fresh 256-bit magic-link token, url-safe. */
+export function generateToken() {
+    return randomBase64Url(32);
+}
+/** A fresh 256-bit session id, url-safe. */
+export function generateSessionId() {
+    return randomBase64Url(32);
+}
+/** The lowercase hex SHA-256 of a token, for storage and lookup. */
+export async function hashToken(token) {
+    const data = new TextEncoder().encode(token);
+    const digest = await crypto.subtle.digest('SHA-256', data);
+    return [...new Uint8Array(digest)].map((b) => b.toString(16).padStart(2, '0')).join('');
+}

package/dist/auth/store.d.ts

@@ -0,0 +1,41 @@
+import type { D1Database } from '@cloudflare/workers-types';
+import type { Editor, Role } from './types.js';
+/** Look an email up in the allowlist. */
+export declare function findEditor(db: D1Database, email: string): Promise<Editor | null>;
+/** Replace any prior token for this email with a fresh one, atomically. */
+export declare function issueToken(db: D1Database, email: string, tokenHash: string, expiresAt: number, now: number): Promise<void>;
+/**
+ * Consume a token in one atomic statement. A returned email means the token was present and
+ * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.
+ */
+export declare function consumeToken(db: D1Database, tokenHash: string, now: number): Promise<string | null>;
+/** Create a session row. */
+export declare function createSession(db: D1Database, id: string, email: string, expiresAt: number, now: number): Promise<void>;
+/**
+ * Resolve a session to its editor, joining `editor` so the role is read live. An expired
+ * session or a removed editor resolves to null, which revokes access on the next request.
+ */
+export declare function resolveSession(db: D1Database, id: string, now: number): Promise<Editor | null>;
+/** Delete a session (logout). */
+export declare function deleteSession(db: D1Database, id: string): Promise<void>;
+/** The full allowlist, sorted by email. */
+export declare function listEditors(db: D1Database): Promise<Editor[]>;
+/** Add an editor to the allowlist. */
+export declare function insertEditor(db: D1Database, email: string, displayName: string, role: Role, now: number): Promise<void>;
+/** Remove an editor and cut their live access (sessions and any pending token go too). */
+export declare function deleteEditor(db: D1Database, email: string): Promise<void>;
+/**
+ * Remove an owner only if another owner remains. The count is part of the DELETE, so two
+ * concurrent removals cannot both pass a separate check and strand the allowlist at zero
+ * owners. Returns false (and writes nothing) when this is the last owner. On success the
+ * editor's sessions and pending token go too.
+ */
+export declare function removeOwnerIfNotLast(db: D1Database, email: string): Promise<boolean>;
+/** Change an editor's role. The guard reads the new role on the next request. */
+export declare function setEditorRole(db: D1Database, email: string, role: Role): Promise<void>;
+/**
+ * Demote an owner to editor only if another owner remains, in one atomic statement (see
+ * `removeOwnerIfNotLast`). Returns false (and writes nothing) when this is the last owner.
+ */
+export declare function demoteOwnerIfNotLast(db: D1Database, email: string): Promise<boolean>;
+//# sourceMappingURL=store.d.ts.map

package/dist/auth/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/lib/auth/store.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAQ/C,yCAAyC;AACzC,wBAAsB,UAAU,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMtF;AAED,2EAA2E;AAC3E,wBAAsB,UAAU,CAC9B,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMzG;AAED,4BAA4B;AAC5B,wBAAsB,aAAa,CACjC,EAAE,EAAE,UAAU,EACd,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAKf;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAUpG;AAED,iCAAiC;AACjC,wBAAsB,aAAa,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE7E;AAED,2CAA2C;AAC3C,wBAAsB,WAAW,CAAC,EAAE,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAKnE;AAED,sCAAsC;AACtC,wBAAsB,YAAY,CAChC,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAM/E;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAe1F;AAED,iFAAiF;AACjF,wBAAsB,aAAa,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAE5F;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAU1F"}

package/dist/auth/store.js

@@ -0,0 +1,115 @@
+function toEditor(row) {
+    return { email: row.email, displayName: row.display_name, role: row.role };
+}
+/** Look an email up in the allowlist. */
+export async function findEditor(db, email) {
+    const row = await db
+        .prepare('SELECT email, display_name, role FROM editor WHERE email = ?')
+        .bind(email)
+        .first();
+    return row ? toEditor(row) : null;
+}
+/** Replace any prior token for this email with a fresh one, atomically. */
+export async function issueToken(db, email, tokenHash, expiresAt, now) {
+    await db.batch([
+        db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+        db
+            .prepare('INSERT INTO magic_token (token_hash, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
+            .bind(tokenHash, email, expiresAt, now),
+    ]);
+}
+/**
+ * Consume a token in one atomic statement. A returned email means the token was present and
+ * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.
+ */
+export async function consumeToken(db, tokenHash, now) {
+    const row = await db
+        .prepare('DELETE FROM magic_token WHERE token_hash = ? AND expires_at > ? RETURNING email')
+        .bind(tokenHash, now)
+        .first();
+    return row?.email ?? null;
+}
+/** Create a session row. */
+export async function createSession(db, id, email, expiresAt, now) {
+    await db
+        .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
+        .bind(id, email, expiresAt, now)
+        .run();
+}
+/**
+ * Resolve a session to its editor, joining `editor` so the role is read live. An expired
+ * session or a removed editor resolves to null, which revokes access on the next request.
+ */
+export async function resolveSession(db, id, now) {
+    const row = await db
+        .prepare(`SELECT e.email AS email, e.display_name AS display_name, e.role AS role
+       FROM session s JOIN editor e ON e.email = s.email
+       WHERE s.id = ? AND s.expires_at > ?`)
+        .bind(id, now)
+        .first();
+    return row ? toEditor(row) : null;
+}
+/** Delete a session (logout). */
+export async function deleteSession(db, id) {
+    await db.prepare('DELETE FROM session WHERE id = ?').bind(id).run();
+}
+/** The full allowlist, sorted by email. */
+export async function listEditors(db) {
+    const { results } = await db
+        .prepare('SELECT email, display_name, role FROM editor ORDER BY email')
+        .all();
+    return results.map(toEditor);
+}
+/** Add an editor to the allowlist. */
+export async function insertEditor(db, email, displayName, role, now) {
+    await db
+        .prepare('INSERT INTO editor (email, display_name, role, created_at) VALUES (?, ?, ?, ?)')
+        .bind(email, displayName, role, now)
+        .run();
+}
+/** Remove an editor and cut their live access (sessions and any pending token go too). */
+export async function deleteEditor(db, email) {
+    await db.batch([
+        db.prepare('DELETE FROM session WHERE email = ?').bind(email),
+        db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+        db.prepare('DELETE FROM editor WHERE email = ?').bind(email),
+    ]);
+}
+/**
+ * Remove an owner only if another owner remains. The count is part of the DELETE, so two
+ * concurrent removals cannot both pass a separate check and strand the allowlist at zero
+ * owners. Returns false (and writes nothing) when this is the last owner. On success the
+ * editor's sessions and pending token go too.
+ */
+export async function removeOwnerIfNotLast(db, email) {
+    const res = await db
+        .prepare(`DELETE FROM editor
+       WHERE email = ? AND role = 'owner'
+         AND (SELECT COUNT(*) FROM editor WHERE role = 'owner') > 1`)
+        .bind(email)
+        .run();
+    if (res.meta.changes !== 1)
+        return false;
+    await db.batch([
+        db.prepare('DELETE FROM session WHERE email = ?').bind(email),
+        db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+    ]);
+    return true;
+}
+/** Change an editor's role. The guard reads the new role on the next request. */
+export async function setEditorRole(db, email, role) {
+    await db.prepare('UPDATE editor SET role = ? WHERE email = ?').bind(role, email).run();
+}
+/**
+ * Demote an owner to editor only if another owner remains, in one atomic statement (see
+ * `removeOwnerIfNotLast`). Returns false (and writes nothing) when this is the last owner.
+ */
+export async function demoteOwnerIfNotLast(db, email) {
+    const res = await db
+        .prepare(`UPDATE editor SET role = 'editor'
+       WHERE email = ? AND role = 'owner'
+         AND (SELECT COUNT(*) FROM editor WHERE role = 'owner') > 1`)
+        .bind(email)
+        .run();
+    return res.meta.changes === 1;
+}

package/dist/auth/types.d.ts

@@ -0,0 +1,25 @@
+import type { D1Database } from '@cloudflare/workers-types';
+export type Role = 'owner' | 'editor';
+/** The session shape the whole admin reads: guard, loads, content fns, manage-editors. */
+export interface Editor {
+    email: string;
+    displayName: string;
+    role: Role;
+}
+/** Worker bindings and vars the auth layer reads; a structural subset of `Platform.env`. */
+export interface AuthEnv {
+    AUTH_DB?: D1Database;
+    /** Canonical origin for confirmation links, never read from a request header (spec 7.1, risk H3). */
+    PUBLIC_ORIGIN?: string;
+    /** Cloudflare Email Sending binding. */
+    EMAIL?: {
+        send(message: {
+            to: string;
+            from: string;
+            subject: string;
+            html: string;
+            text: string;
+        }): Promise<void>;
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/auth/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEtC,0FAA0F;AAC1F,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,4FAA4F;AAC5F,MAAM,WAAW,OAAO;IACtB,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,qGAAqG;IACrG,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wCAAwC;IACxC,KAAK,CAAC,EAAE;QACN,IAAI,CAAC,OAAO,EAAE;YACZ,EAAE,EAAE,MAAM,CAAC;YACX,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,MAAM,CAAC;YAChB,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,EAAE,MAAM,CAAC;SACd,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACnB,CAAC;CACH"}

package/dist/auth/types.js

@@ -0,0 +1 @@
+export {};

package/dist/components/AdminLayout.svelte

@@ -1,130 +1,80 @@
+<!--
+@component
+The admin shell: a DaisyUI drawer-and-navbar that wraps every authed admin page. The nav is
+data-driven from the enabled concepts and role-gated (owners see the manage-editors entry). The
+root sets `data-theme="cairn-admin"` and imports the self-contained Warm Stone theme, so the
+admin looks identical on every host regardless of the site's own theme.
+-->
 <script lang="ts">
-  // Neutral admin chrome, shared across sites so the tool looks identical everywhere (only the
-  // adapter's siteName varies). When signed in it's a responsive DaisyUI drawer+navbar shell
-  // (`drawer lg:drawer-open`, sidebar pinned on desktop, slide-over + hamburger on mobile),
-  // patterned on scosman/CMSaasStarter's `(admin)/(menu)` layout. The nav is data-driven and
-  // role-gated, so a new surface is one entry in `nav` (plus its route + component). Signed out
-  // (the login page lives under this layout) it falls back to a minimal centered shell.
-  // Each site's `admin/+layout.svelte` is a one-line shim that forwards `data` + `children`.
   import type { Snippet } from 'svelte';
-  import type { CairnUser } from '../auth';
+  import type { LayoutData } from '../sveltekit/content-routes.js';
+  import './cairn-admin.css';
 
-  let {
-    data,
-    children,
-  }: {
-    data: { siteName: string; user: CairnUser | null; pathname: string };
+  interface Props {
+    /** The layout load's data: site name, user, nav concepts, active path, owner capability. */
+    data: LayoutData;
+    /** The page body. */
     children: Snippet;
-  } = $props();
+  }
+
+  let { data, children }: Props = $props();
 
   interface NavItem {
     href: string;
     label: string;
-    icon: Snippet;
-    active: boolean;
-    /** Owner-only surface; hidden from regular editors. */
     owner?: boolean;
   }
 
-  const nav = $derived<NavItem[]>([
-    {
-      href: '/admin',
-      label: 'Content',
-      icon: contentIcon,
-      active: data.pathname === '/admin' || data.pathname.startsWith('/admin/edit'),
-    },
-    {
-      href: '/admin/admins',
-      label: 'Editors',
-      icon: editorsIcon,
-      owner: true,
-      active: data.pathname.startsWith('/admin/admins'),
-    },
+  const navItems: NavItem[] = $derived([
+    ...data.concepts.map((c) => ({ href: `/admin/${c.id}`, label: c.label })),
+    ...(data.navLabel ? [{ href: '/admin/nav', label: data.navLabel }] : []),
+    { href: '/admin/editors', label: 'Editors', owner: true },
   ]);
-  const visibleNav = $derived(nav.filter((item) => !item.owner || data.user?.role === 'owner'));
 
-  // Close the slide-over after a nav tap on mobile (no-op on desktop where it's pinned open).
-  function closeDrawer(): void {
-    const toggle = document.getElementById('admin-drawer');
-    if (toggle instanceof HTMLInputElement) toggle.checked = false;
+  const visibleNav = $derived(navItems.filter((item) => !item.owner || data.canManageEditors));
+
+  function isActive(href: string): boolean {
+    return data.pathname === href || data.pathname.startsWith(`${href}/`);
   }
 </script>
 
-{#snippet contentIcon()}
-  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-      d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
-  </svg>
-{/snippet}
-
-{#snippet editorsIcon()}
-  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-      d="M17 20h5v-2a4 4 0 00-3-3.87M9 20H4v-2a4 4 0 013-3.87m6-1.13a4 4 0 10-4-4 4 4 0 004 4zm6 0a4 4 0 10-3.5-2.1" />
-  </svg>
-{/snippet}
+<div data-theme="cairn-admin" class="drawer lg:drawer-open min-h-screen bg-base-200 text-base-content">
+  <input id="cairn-drawer" type="checkbox" class="drawer-toggle" />
 
-<svelte:head>
-  <meta name="robots" content="noindex, nofollow" />
-</svelte:head>
-
-{#if data.user}
-  <div class="drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
-    <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
-
-    <div class="drawer-content">
-      <!-- Mobile top bar; the desktop sidebar replaces this at lg. -->
-      <div class="navbar bg-base-100 lg:hidden">
-        <div class="flex-1">
-          <span class="px-2 text-xl font-bold">{data.siteName} CMS</span>
-        </div>
-        <div class="flex-none">
-          <label for="admin-drawer" class="btn btn-square btn-ghost" aria-label="Open menu">
-            <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h7" />
-            </svg>
-          </label>
-        </div>
+  <div class="drawer-content flex flex-col">
+    <div class="navbar bg-base-100 border-b border-base-300">
+      <div class="flex-none lg:hidden">
+        <label for="cairn-drawer" aria-label="Open menu" class="btn btn-square btn-ghost">
+          <svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h16" />
+          </svg>
+        </label>
       </div>
-
-      <main class="container px-4 py-6 lg:px-8">
-        {@render children()}
-      </main>
+      <div class="flex-1 px-2 font-semibold">{data.siteName}</div>
+      <div class="flex-none px-2 text-sm text-[var(--color-muted)]">{data.user.displayName}</div>
     </div>
 
-    <div class="drawer-side z-10">
-      <label for="admin-drawer" class="drawer-overlay" aria-label="Close menu"></label>
-      <div class="flex min-h-full w-80 flex-col bg-base-100 lg:border-r lg:border-base-300">
-        <ul class="menu menu-lg grow p-4">
-          <li class="menu-title flex flex-row items-center text-xl font-bold text-base-content">
-            <span class="grow">{data.siteName} CMS</span>
-            <label for="admin-drawer" class="ml-3 cursor-pointer lg:hidden" aria-label="Close menu">✕</label>
-          </li>
-          {#each visibleNav as item (item.href)}
-            <li>
-              <a href={item.href} class={item.active ? 'active' : ''} onclick={closeDrawer}>
-                {@render item.icon()}
-                {item.label}
-              </a>
-            </li>
-          {/each}
-        </ul>
-
-        <div class="border-t border-base-300 p-4">
-          <p class="text-sm font-medium">{data.user.name}</p>
-          <p class="text-xs opacity-60">{data.user.email}</p>
-          <form method="POST" action="/admin/auth/logout" class="mt-3">
-            <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">Sign out</button>
-          </form>
-        </div>
-      </div>
-    </div>
-  </div>
-{:else}
-  <!-- Signed out (login page): no nav, just a centered surface. -->
-  <div class="min-h-screen bg-base-200" data-pagefind-ignore>
-    <div class="mx-auto max-w-3xl px-4 py-8">
+    <main class="flex-1 p-4 lg:p-8">
       {@render children()}
-    </div>
+    </main>
+  </div>
+
+  <div class="drawer-side">
+    <label for="cairn-drawer" aria-label="Close menu" class="drawer-overlay"></label>
+    <nav class="bg-base-100 min-h-full w-64 border-r border-base-300 p-4" aria-label="Site content">
+      <div class="menu-title mb-2 px-2 text-xs uppercase tracking-wide text-[var(--color-muted)]">Content</div>
+      <ul class="menu menu-lg w-full">
+        {#each visibleNav as item (item.href)}
+          <li>
+            <a href={item.href} class:menu-active={isActive(item.href)} aria-current={isActive(item.href) ? 'page' : undefined}>
+              {item.label}
+            </a>
+          </li>
+        {/each}
+      </ul>
+      <form method="POST" action="/admin/auth/logout" class="mt-6 px-2">
+        <button type="submit" class="btn btn-ghost btn-sm btn-block">Sign out</button>
+      </form>
+    </nav>
   </div>
-{/if}
+</div>

package/dist/components/AdminLayout.svelte.d.ts

@@ -1,14 +1,19 @@
 import type { Snippet } from 'svelte';
-import type { CairnUser } from '../auth';
-type $$ComponentProps = {
-    data: {
-        siteName: string;
-        user: CairnUser | null;
-        pathname: string;
-    };
+import type { LayoutData } from '../sveltekit/content-routes.js';
+import './cairn-admin.css';
+interface Props {
+    /** The layout load's data: site name, user, nav concepts, active path, owner capability. */
+    data: LayoutData;
+    /** The page body. */
     children: Snippet;
-};
-declare const AdminLayout: import("svelte").Component<$$ComponentProps, {}, "">;
+}
+/**
+ * The admin shell: a DaisyUI drawer-and-navbar that wraps every authed admin page. The nav is
+ * data-driven from the enabled concepts and role-gated (owners see the manage-editors entry). The
+ * root sets `data-theme="cairn-admin"` and imports the self-contained Warm Stone theme, so the
+ * admin looks identical on every host regardless of the site's own theme.
+ */
+declare const AdminLayout: import("svelte").Component<Props, {}, "">;
 type AdminLayout = ReturnType<typeof AdminLayout>;
 export default AdminLayout;
 //# sourceMappingURL=AdminLayout.svelte.d.ts.map

package/dist/components/AdminLayout.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAWxC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACrE,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAyHJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}
+{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,mBAAmB,CAAC;AAGzB,UAAU,KAAK;IACb,4FAA4F;IAC5F,IAAI,EAAE,UAAU,CAAC;IACjB,qBAAqB;IACrB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAyEH;;;;;GAKG;AACH,QAAA,MAAM,WAAW,2CAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/ComponentPalette.svelte

@@ -0,0 +1,50 @@
+<!--
+@component
+The insert-component palette: a dropdown listing the site's registered directive components
+(seam 3). Picking one inserts its template at the cursor through the editor's insert callback.
+Renders nothing when the site configures no registry.
+-->
+<script lang="ts">
+  import type { ComponentRegistry } from '../render/registry.js';
+
+  interface Props {
+    /** The site's component registry; the palette derives its catalog from it. */
+    registry?: ComponentRegistry;
+    /** Insert a template at the editor's cursor. */
+    insert: (template: string) => void;
+  }
+
+  let { registry, insert }: Props = $props();
+
+  const defs = $derived(registry?.defs ?? []);
+  let open = $state(false);
+</script>
+
+{#if defs.length > 0}
+  <div
+    class="dropdown"
+    class:dropdown-open={open}
+    role="presentation"
+    onkeydown={(e) => { if (e.key === 'Escape') open = false; }}
+  >
+    <button
+      type="button"
+      class="btn btn-sm btn-ghost"
+      aria-haspopup="listbox"
+      aria-expanded={open}
+      onclick={() => (open = !open)}
+    >Insert</button>
+    <ul class="dropdown-content menu rounded-box border border-base-300 bg-base-100 z-10 w-56 shadow" role="listbox">
+      {#each defs as def (def.name)}
+        <li role="option" aria-selected={false}>
+          <button type="button" onclick={() => { insert(def.insertTemplate); open = false; }}>
+            <span class="flex flex-col items-start">
+              <span class="font-medium">{def.label}</span>
+              <span class="text-xs text-[var(--color-muted)]">{def.description}</span>
+            </span>
+          </button>
+        </li>
+      {/each}
+    </ul>
+  </div>
+{/if}

package/dist/components/ComponentPalette.svelte.d.ts

@@ -0,0 +1,16 @@
+import type { ComponentRegistry } from '../render/registry.js';
+interface Props {
+    /** The site's component registry; the palette derives its catalog from it. */
+    registry?: ComponentRegistry;
+    /** Insert a template at the editor's cursor. */
+    insert: (template: string) => void;
+}
+/**
+ * The insert-component palette: a dropdown listing the site's registered directive components
+ * (seam 3). Picking one inserts its template at the cursor through the editor's insert callback.
+ * Renders nothing when the site configures no registry.
+ */
+declare const ComponentPalette: import("svelte").Component<Props, {}, "">;
+type ComponentPalette = ReturnType<typeof ComponentPalette>;
+export default ComponentPalette;
+//# sourceMappingURL=ComponentPalette.svelte.d.ts.map

package/dist/components/ComponentPalette.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ComponentPalette.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ComponentPalette.svelte.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAG7D,UAAU,KAAK;IACb,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,gDAAgD;IAChD,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,CAAC;CACpC;AAgCH;;;;GAIG;AACH,QAAA,MAAM,gBAAgB,2CAAwC,CAAC;AAC/D,KAAK,gBAAgB,GAAG,UAAU,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC5D,eAAe,gBAAgB,CAAC"}

package/dist/components/ConceptList.svelte

@@ -0,0 +1,81 @@
+<!--
+@component
+One concept's list view: every entry as a link to its editor, with title, date, and a draft badge,
+plus a new-entry form. The slug auto-derives from the title until the author edits the slug field.
+-->
+<script lang="ts">
+  import { slugify } from '../content/ids.js';
+  import type { ListData } from '../sveltekit/content-routes.js';
+
+  interface Props {
+    /** The list load's data: the concept, its entries, and any inline or form errors. */
+    data: ListData;
+  }
+
+  let { data }: Props = $props();
+
+  let title = $state('');
+  let slug = $state('');
+  let slugEdited = $state(false);
+
+  const derivedSlug = $derived(slugEdited ? slug : slugify(title));
+  const slugPlaceholder = $derived(data.dated ? '2026-05-my-entry' : 'about-us');
+</script>
+
+<header class="mb-4 flex items-center justify-between">
+  <h1 class="text-xl font-semibold">{data.label}</h1>
+</header>
+
+{#if data.formError}
+  <div role="alert" class="alert alert-error mb-4 text-sm">{data.formError}</div>
+{/if}
+
+{#if data.error}
+  <div role="alert" class="alert alert-warning mb-4 text-sm">{data.error}</div>
+{/if}
+
+<div class="rounded-box border border-base-300 bg-base-100 mb-6">
+  {#if data.entries.length === 0}
+    <p class="p-4 text-sm opacity-70">No entries yet.</p>
+  {:else}
+    <ul class="menu w-full">
+      {#each data.entries as entry (entry.id)}
+        <li>
+          <a href={`/admin/${data.conceptId}/${entry.id}`} class="flex items-center justify-between">
+            <span>{entry.title}</span>
+            <span class="flex items-center gap-2 text-xs text-[var(--color-muted)]">
+              {#if entry.date}<span>{entry.date}</span>{/if}
+              {#if entry.draft}<span class="badge badge-warning badge-sm">Draft</span>{/if}
+            </span>
+          </a>
+        </li>
+      {/each}
+    </ul>
+  {/if}
+</div>
+
+<form method="POST" action="?/create" class="rounded-box border border-base-300 bg-base-100 flex flex-col gap-3 p-4">
+  <h2 class="text-sm font-semibold">New entry</h2>
+  <label class="flex flex-col gap-1">
+    <span class="text-sm font-medium">Title</span>
+    <input class="input" name="title" aria-label="Title" bind:value={title} required />
+  </label>
+  <label class="flex flex-col gap-1">
+    <span class="text-sm font-medium">Slug</span>
+    <input
+      class="input"
+      name="slug"
+      aria-label="Slug"
+      placeholder={slugPlaceholder}
+      value={derivedSlug}
+      oninput={(e) => { slugEdited = true; slug = e.currentTarget.value; }}
+    />
+  </label>
+  {#if data.dated}
+    <label class="flex flex-col gap-1">
+      <span class="text-sm font-medium">Date</span>
+      <input class="input" type="date" name="date" aria-label="Date" />
+    </label>
+  {/if}
+  <button type="submit" class="btn btn-primary self-start">Create</button>
+</form>

package/dist/components/ConceptList.svelte.d.ts

@@ -0,0 +1,13 @@
+import type { ListData } from '../sveltekit/content-routes.js';
+interface Props {
+    /** The list load's data: the concept, its entries, and any inline or form errors. */
+    data: ListData;
+}
+/**
+ * One concept's list view: every entry as a link to its editor, with title, date, and a draft badge,
+ * plus a new-entry form. The slug auto-derives from the title until the author edits the slug field.
+ */
+declare const ConceptList: import("svelte").Component<Props, {}, "">;
+type ConceptList = ReturnType<typeof ConceptList>;
+export default ConceptList;
+//# sourceMappingURL=ConceptList.svelte.d.ts.map

package/dist/components/ConceptList.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConceptList.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ConceptList.svelte.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gCAAgC,CAAC;AAG7D,UAAU,KAAK;IACb,qFAAqF;IACrF,IAAI,EAAE,QAAQ,CAAC;CAChB;AAsEH;;;GAGG;AACH,QAAA,MAAM,WAAW,2CAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}