@glw907/cairn-cms 0.5.0 → 0.6.0-rc.0

package/src/lib/sveltekit/index.ts

@@ -1,235 +1,19 @@
-// cairn-core: the SvelteKit content-route server logic, extracted so each site's `admin/**`
-// route files are thin shims (`export const load = (event) => editLoad(event, cairn)`).
-//
-// SvelteKit's filesystem routing requires the route *files* to live in each site's
-// `src/routes/`, but their bodies are identical across sites. Only the adapter differs.
-// These functions take the SvelteKit event (typed structurally, to avoid depending on the
-// site-generated `App.*` ambient types) plus the site `CairnAdapter`, and throw
-// `redirect`/`error` from `@sveltejs/kit` (a peer dependency, so the thrown objects share
-// class identity with the host's runtime; otherwise the redirect 500s). Auth/session/manage-editors
-// logic lives under `@glw907/cairn-cms/auth`; this module is content-only (list/edit/save).
-import { redirect, error } from '@sveltejs/kit';
-import matter from 'gray-matter';
-import type { CairnUser } from '../auth/guard';
-import {
-  listMarkdown,
-  readRaw,
-  commitFile,
-  installationToken,
-  signingSelfTest,
-  CommitConflictError,
-  type RepoFile,
-} from '../github';
-import { serializeMarkdown } from '../content';
-import { findCollection, frontmatterFromForm, type CairnAdapter, type CairnField } from '../adapter';
-
-/** The `platform.env` bindings the content routes read. All optional; the handlers guard. */
-export interface AdminEnv {
-  GITHUB_APP_ID?: string;
-  GITHUB_APP_INSTALLATION_ID?: string;
-  GITHUB_APP_PRIVATE_KEY_B64?: string;
-}
-
-interface PlatformEvent {
-  platform?: { env?: AdminEnv };
-}
-
-/**
- * Mint a GitHub App installation token for *reads* when the App is configured, else undefined
- * (reads then fall back to anonymous). Authenticated reads get the 5000/hr limit; anonymous
- * reads share GitHub's 60/hr-per-IP budget across Cloudflare's egress IPs, so they 403 in prod.
- * A mint failure degrades gracefully to anonymous rather than 500ing. Unlike the commit path,
- * where a missing App is fatal, a read can still succeed unauthenticated.
- */
-async function readToken(env: AdminEnv | undefined): Promise<string | undefined> {
-  if (!env?.GITHUB_APP_ID || !env.GITHUB_APP_INSTALLATION_ID || !env.GITHUB_APP_PRIVATE_KEY_B64) {
-    return undefined;
-  }
-  try {
-    return await installationToken({
-      appId: env.GITHUB_APP_ID,
-      installationId: env.GITHUB_APP_INSTALLATION_ID,
-      privateKeyB64: env.GITHUB_APP_PRIVATE_KEY_B64,
-    });
-  } catch (err) {
-    console.error('read token mint failed; falling back to anonymous read:', err);
-    return undefined;
-  }
-}
-
-// ── /admin layout ──────────────────────────────────────────────────────────
-
-export interface AdminLayoutData {
-  user: CairnUser | null;
-  siteName: string;
-  pathname: string;
-}
-
-/**
- * Branding + session for every admin page. `siteName` flows from the adapter without pulling
- * its plugin graph into client bundles; the import stays server-side in the layout load.
- * `pathname` lets the shared shell highlight the active nav item without a `$app/*` import
- * (those kit virtual modules have no types outside a kit app, so they can't live in the
- * package); reading `event.url` here also opts the layout load into rerunning on navigation.
- */
-export function adminLayoutLoad(
-  event: { locals: { user: CairnUser | null }; url: URL },
-  adapter: CairnAdapter,
-): AdminLayoutData {
-  return { user: event.locals.user, siteName: adapter.siteName, pathname: event.url.pathname };
-}
-
-// ── /admin (content list) ────────────────────────────────────────────────────
-
-export interface AdminCollectionList {
-  type: string;
-  label: string;
-  files: RepoFile[];
-  error?: string;
-}
-
-/** List every collection's markdown files. A failed listing degrades to an inline error. */
-export async function adminListLoad(
-  event: PlatformEvent,
-  adapter: CairnAdapter,
-): Promise<{ collections: AdminCollectionList[] }> {
-  const token = await readToken(event.platform?.env);
-  const collections = await Promise.all(
-    adapter.collections.map(async ({ type, label, dir }): Promise<AdminCollectionList> => {
-      try {
-        return { type, label, files: await listMarkdown(adapter.backend, dir, token) };
-      } catch (err) {
-        // A failed listing (rate limit, network) shouldn't 500 the whole admin.
-        return { type, label, files: [], error: err instanceof Error ? err.message : 'Failed to load' };
-      }
-    }),
-  );
-  return { collections };
-}
-
-// ── /admin/edit/[type]/[id] ─────────────────────────────────────────────────
-
-export interface EditData {
-  type: string;
-  id: string;
-  label: string;
-  fields: CairnField[];
-  path: string;
-  body: string;
-  frontmatter: Record<string, unknown>;
-  title: string;
-  saved: boolean;
-  error: string | null;
-}
-
-export async function editLoad(
-  event: PlatformEvent & { params: { type: string; id: string }; url: URL },
-  adapter: CairnAdapter,
-): Promise<EditData> {
-  const collection = findCollection(adapter, event.params.type);
-  if (!collection) throw error(404, 'Unknown collection');
-
-  const token = await readToken(event.platform?.env);
-  const path = `${collection.dir}/${event.params.id}.md`;
-  const raw = await readRaw(adapter.backend, path, token);
-  if (raw === null) throw error(404, 'Content not found');
-
-  // Split frontmatter from body server-side; the editor form binds to the frontmatter and
-  // the Carta editor binds to the body, and /admin/save reassembles them on commit.
-  const { data: frontmatter, content: body } = matter(raw);
-
-  return {
-    type: event.params.type,
-    id: event.params.id,
-    label: collection.label,
-    fields: collection.fields,
-    path,
-    body,
-    frontmatter,
-    title: typeof frontmatter.title === 'string' ? frontmatter.title : event.params.id,
-    saved: event.url.searchParams.get('saved') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
-
-// ── /admin/save (POST) ──────────────────────────────────────────────────────
-
-export async function saveCommit(
-  event: PlatformEvent & { request: Request; locals: { user: CairnUser | null } },
-  adapter: CairnAdapter,
-): Promise<never> {
-  const user = event.locals.user;
-  if (!user) throw error(401, 'Not signed in');
-
-  const env = event.platform?.env;
-  if (!env?.GITHUB_APP_ID || !env.GITHUB_APP_INSTALLATION_ID || !env.GITHUB_APP_PRIVATE_KEY_B64) {
-    throw error(500, 'GitHub App is not configured');
-  }
-
-  const form = await event.request.formData();
-  const type = String(form.get('type') ?? '');
-  const id = String(form.get('id') ?? '');
-  const body = String(form.get('body') ?? '');
-  const collection = findCollection(adapter, type);
-  if (!collection || !id) throw error(400, 'Bad request');
-
-  // Build frontmatter from the posted fields and validate against the collection's schema; a
-  // bad field bounces back to the editor with the validator's message rather than 500ing.
-  let frontmatter: object;
-  try {
-    frontmatter = collection.validate(frontmatterFromForm(collection, form), `${id}.md`);
-  } catch (err) {
-    const message = err instanceof Error ? err.message : 'Invalid frontmatter';
-    throw redirect(303, `/admin/edit/${type}/${id}?error=${encodeURIComponent(message)}`);
-  }
-
-  const markdown = serializeMarkdown(frontmatter, body);
-  const token = await installationToken({
-    appId: env.GITHUB_APP_ID,
-    installationId: env.GITHUB_APP_INSTALLATION_ID,
-    privateKeyB64: env.GITHUB_APP_PRIVATE_KEY_B64,
-  });
-
-  try {
-    await commitFile(
-      adapter.backend,
-      `${collection.dir}/${id}.md`,
-      markdown,
-      { message: `Update ${collection.label.toLowerCase()}: ${id}`, author: { name: user.name, email: user.email } },
-      token,
-    );
-  } catch (err) {
-    // Concurrent-edit 409 (C3): fail safe. Bounce back with a reload prompt; the editor reloads
-    // the current version and reapplies. Any other error is unexpected, so rethrow.
-    if (err instanceof CommitConflictError) {
-      const message = 'This file changed since you opened it. Reload and reapply your edits.';
-      throw redirect(303, `/admin/edit/${type}/${id}?error=${encodeURIComponent(message)}`);
-    }
-    throw err;
-  }
-
-  throw redirect(303, `/admin/edit/${type}/${id}?saved=1`);
-}
-
-// ── /admin/healthz (GET) ──────────────────────────────────────────────────────
-
-export interface HealthData {
-  ok: boolean;
-  checks: { githubAppSigning: { ok: boolean; detail?: string } };
-}
-
-/**
- * Deploy-time health check (M2): signs a dummy App JWT to prove the GitHub App key loads and
- * the PKCS#1→PKCS#8 conversion still works, before an editor hits it on save. Behind the
- * `/admin` guard (signed-in editors only); returns ok/fail with no secret in the body.
- */
-export async function healthLoad(event: PlatformEvent): Promise<HealthData> {
-  const env = event.platform?.env;
-  let githubAppSigning: { ok: boolean; detail?: string };
-  if (env?.GITHUB_APP_ID && env.GITHUB_APP_PRIVATE_KEY_B64) {
-    githubAppSigning = await signingSelfTest(env.GITHUB_APP_ID, env.GITHUB_APP_PRIVATE_KEY_B64);
-  } else {
-    githubAppSigning = { ok: false, detail: 'GitHub App not configured' };
-  }
-  return { ok: githubAppSigning.ok, checks: { githubAppSigning } };
-}
+// SvelteKit server logic consumed by site route shims: the guard plus the auth, editor,
+// content, and health route factories and functions.
+export { createAuthGuard, requireSession, requireOwner } from './guard.js';
+export { createAuthRoutes, type AuthRoutesConfig } from './auth-routes.js';
+export { createEditorRoutes } from './editors-routes.js';
+export { createContentRoutes } from './content-routes.js';
+export type {
+  NavConcept,
+  LayoutData,
+  EntrySummary,
+  ListData,
+  EditData,
+  ContentEvent,
+  ContentRoutesDeps,
+} from './content-routes.js';
+export { createNavRoutes } from './nav-routes.js';
+export type { NavLoadData, NavPageOption, NavRoutesDeps } from './nav-routes.js';
+export { healthLoad, type HealthData } from './health.js';
+export type { RequestContext, CookieJar, HandleInput } from './types.js';

package/src/lib/sveltekit/nav-routes.ts

@@ -0,0 +1,139 @@
+// The admin nav-editing routes: the load and save a site's /admin/nav shim calls. A factory closes
+// over the composed runtime and the GitHub token mint, mirroring createContentRoutes, so the read
+// and commit paths are unit-testable against a fetch double with an injected token.
+import { redirect, error } from '@sveltejs/kit';
+import { appCredentials, type GithubKeyEnv } from '../github/credentials.js';
+import { installationToken } from '../github/signing.js';
+import { listMarkdown, readRaw, commitFile } from '../github/repo.js';
+import { CommitConflictError } from '../github/types.js';
+import { parseSiteConfig, extractMenu, validateNavTree, setMenu, type NavNode } from '../nav/site-config.js';
+import type { CairnRuntime } from '../content/types.js';
+import type { ContentEvent } from './content-routes.js';
+import type { Editor } from '../auth/types.js';
+
+/** One page option for the URL picker datalist. */
+export interface NavPageOption {
+  label: string;
+  url: string;
+}
+
+/** The nav editor's load data: the menu meta, the current tree, page options, and flags. */
+export interface NavLoadData {
+  menu: { name: string; label: string; maxDepth: number };
+  tree: NavNode[];
+  pages: NavPageOption[];
+  saved: boolean;
+  error: string | null;
+}
+
+/** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
+export interface NavRoutesDeps {
+  mintToken?: (env: GithubKeyEnv) => Promise<string>;
+}
+
+/** The signed-in editor the guard resolved, or a login redirect. */
+function sessionOf(event: ContentEvent): Editor {
+  const editor = event.locals.editor;
+  if (!editor) throw redirect(303, '/admin/login');
+  return editor;
+}
+
+/** Match a commit conflict by class and by name (bundling can alias the class identity). */
+function isConflict(err: unknown): boolean {
+  return err instanceof CommitConflictError || (err as { name?: string } | null)?.name === 'CommitConflictError';
+}
+
+export function createNavRoutes(runtime: CairnRuntime, deps: NavRoutesDeps = {}) {
+  const mintToken =
+    deps.mintToken ?? ((env: GithubKeyEnv) => installationToken(appCredentials(runtime.backend, env)));
+
+  /** List page-like concepts (routable, not dated) for the URL picker. Best-effort per concept. */
+  async function pageOptions(token: string): Promise<NavPageOption[]> {
+    const pageConcepts = runtime.concepts.filter((c) => c.routing.routable && !c.routing.dated);
+    const lists = await Promise.all(
+      pageConcepts.map(async (c) => {
+        try {
+          const files = await listMarkdown(runtime.backend, c.dir, token);
+          return files.map((f): NavPageOption => ({ label: f.id, url: `/${f.id}` }));
+        } catch {
+          return [];
+        }
+      }),
+    );
+    return lists.flat();
+  }
+
+  /** Load the nav editor. A missing or unparsable config degrades to an empty tree so it still opens. */
+  async function navLoad(event: ContentEvent): Promise<NavLoadData> {
+    sessionOf(event);
+    const config = runtime.navMenu;
+    if (!config) throw error(404, 'No navigation menu configured');
+    const maxDepth = config.maxDepth ?? 2;
+    const menu = { name: config.menuName, label: config.label, maxDepth };
+
+    let token: string;
+    try {
+      token = await mintToken(event.platform?.env ?? {});
+    } catch {
+      return { menu, tree: [], pages: [], saved: false, error: 'Could not authenticate with GitHub.' };
+    }
+
+    let tree: NavNode[] = [];
+    try {
+      const raw = await readRaw(runtime.backend, config.configPath, token);
+      if (raw !== null) tree = extractMenu(parseSiteConfig(raw), config.menuName, maxDepth);
+    } catch {
+      // A malformed or unreadable config degrades to an empty tree; the first save writes a clean menu.
+      tree = [];
+    }
+
+    return {
+      menu,
+      tree,
+      pages: await pageOptions(token),
+      saved: event.url.searchParams.get('saved') === '1',
+      error: event.url.searchParams.get('error'),
+    };
+  }
+
+  /** Save the nav tree: validate, then read-modify-commit the one menu with the session editor as author. */
+  async function navSave(event: ContentEvent): Promise<never> {
+    const editor = sessionOf(event);
+    const config = runtime.navMenu;
+    if (!config) throw error(404, 'No navigation menu configured');
+    const maxDepth = config.maxDepth ?? 2;
+
+    const form = await event.request.formData();
+    let tree: NavNode[];
+    try {
+      tree = validateNavTree(JSON.parse(String(form.get('tree') ?? '[]')), maxDepth);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Invalid navigation';
+      throw redirect(303, `/admin/nav?error=${encodeURIComponent(message)}`);
+    }
+
+    const token = await mintToken(event.platform?.env ?? {});
+    const raw = await readRaw(runtime.backend, config.configPath, token);
+    if (raw === null) throw error(404, 'Site config not found');
+
+    try {
+      await commitFile(
+        runtime.backend,
+        config.configPath,
+        setMenu(raw, config.menuName, tree),
+        { message: `Update ${config.label.toLowerCase()}`, author: { name: editor.displayName, email: editor.email } },
+        token,
+      );
+    } catch (err) {
+      if (isConflict(err)) {
+        const message = 'The site config changed since you opened it. Reload and reapply your edits.';
+        throw redirect(303, `/admin/nav?error=${encodeURIComponent(message)}`);
+      }
+      throw err;
+    }
+
+    throw redirect(303, '/admin/nav?saved=1');
+  }
+
+  return { navLoad, navSave };
+}

package/src/lib/sveltekit/types.ts

@@ -0,0 +1,33 @@
+// Structural subsets of SvelteKit's RequestEvent. A site passes its real event, which has
+// these and more, so the engine never imports a site's generated App.* ambient types.
+import type { AuthEnv, Editor } from '../auth/types.js';
+
+export interface CookieSetOptions {
+  path: string;
+  httpOnly?: boolean;
+  secure?: boolean;
+  sameSite?: 'lax' | 'strict' | 'none';
+  maxAge?: number;
+}
+
+export interface CookieJar {
+  get(name: string): string | undefined;
+  set(name: string, value: string, opts: CookieSetOptions): void;
+  delete(name: string, opts: { path: string }): void;
+}
+
+export interface RequestContext {
+  url: URL;
+  request: Request;
+  cookies: CookieJar;
+  locals: { editor?: Editor | null };
+  platform?: { env?: AuthEnv };
+  // Required so a site cannot silently drop the confirm page's Referrer-Policy header
+  // (spec 7.1). A real SvelteKit RequestEvent always supplies it.
+  setHeaders(headers: Record<string, string>): void;
+}
+
+export interface HandleInput {
+  event: RequestContext;
+  resolve(event: RequestContext): Promise<Response> | Response;
+}

package/dist/adapter.d.ts

@@ -1,69 +0,0 @@
-import type { PreviewPlugins } from './carta';
-import type { RepoRef } from './github';
-import type { ComponentRegistry } from './render';
-interface FieldBase {
-    /** Frontmatter key and form input name. */
-    name: string;
-    label: string;
-    required?: boolean;
-}
-export interface TextField extends FieldBase {
-    type: 'text';
-}
-export interface DateField extends FieldBase {
-    type: 'date';
-}
-export interface TextareaField extends FieldBase {
-    type: 'textarea';
-    rows?: number;
-}
-export interface BooleanField extends FieldBase {
-    type: 'boolean';
-}
-export interface TagsField extends FieldBase {
-    type: 'tags';
-    /** Controlled vocabulary rendered as checkboxes. */
-    options: readonly string[];
-}
-export interface FreeTagsField extends FieldBase {
-    type: 'freetags';
-    /** Free-form tags, edited as one comma-separated text input (no controlled vocabulary). */
-    placeholder?: string;
-}
-export type CairnField = TextField | DateField | TextareaField | BooleanField | TagsField | FreeTagsField;
-export interface CairnCollection {
-    /** Route `[type]` segment and list key, e.g. `posts`. */
-    type: string;
-    label: string;
-    /** Repo-relative folder holding the collection's markdown files. */
-    dir: string;
-    /** Editor form fields, rendered in order. */
-    fields: CairnField[];
-    /** Validate raw frontmatter (from the form) into the on-disk object, throwing on error. */
-    validate(data: Record<string, unknown>, source: string): object;
-}
-export interface CairnAdapter {
-    /** Branding + magic-link email copy. */
-    siteName: string;
-    /** From: address for magic-link email (must be a domain-authenticated sender). */
-    sender: string;
-    /** The repository the admin reads content from and commits to. */
-    backend: RepoRef;
-    /** Site plugin set for the Carta preview (parity with the live render). */
-    preview: PreviewPlugins;
-    collections: CairnCollection[];
-    /**
-     * The site's component registry: the single declaration of its directive
-     * components (R10a). Rendering parity already flows through `preview`; this
-     * exposes the same registry so the editor's insert-component palette can read
-     * `registry.defs`. Optional: a site with no rich components (e.g. 907.life) may
-     * omit it or supply an empty registry.
-     */
-    registry?: ComponentRegistry;
-}
-/** Look up a collection by its route segment, or undefined if the segment is unknown. */
-export declare function findCollection(adapter: CairnAdapter, type: string): CairnCollection | undefined;
-/** Read raw frontmatter from a submitted form, decoding each value per its field type. */
-export declare function frontmatterFromForm(collection: CairnCollection, form: FormData): Record<string, unknown>;
-export {};
-//# sourceMappingURL=adapter.d.ts.map

package/dist/adapter.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/lib/adapter.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAElD,UAAU,SAAS;IACjB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,IAAI,EAAE,SAAS,CAAC;CACjB;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,2FAA2F;IAC3F,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,aAAa,GACb,YAAY,GACZ,SAAS,GACT,aAAa,CAAC;AAElB,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;IACZ,6CAA6C;IAC7C,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CACjE;AAED,MAAM,WAAW,YAAY;IAC3B,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,yFAAyF;AACzF,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAE/F;AAED,0FAA0F;AAC1F,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,eAAe,EAC3B,IAAI,EAAE,QAAQ,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA0BzB"}

package/dist/adapter.js

@@ -1,30 +0,0 @@
-/** Look up a collection by its route segment, or undefined if the segment is unknown. */
-export function findCollection(adapter, type) {
-    return adapter.collections.find((collection) => collection.type === type);
-}
-/** Read raw frontmatter from a submitted form, decoding each value per its field type. */
-export function frontmatterFromForm(collection, form) {
-    const data = {};
-    for (const field of collection.fields) {
-        switch (field.type) {
-            case 'boolean':
-                data[field.name] = form.get(field.name) === 'on';
-                break;
-            case 'tags':
-                data[field.name] = form.getAll(field.name).map(String);
-                break;
-            case 'freetags':
-                // One comma-separated input → trimmed, de-duplicated, non-empty tags.
-                data[field.name] = [
-                    ...new Set(String(form.get(field.name) ?? '')
-                        .split(',')
-                        .map((tag) => tag.trim())
-                        .filter(Boolean)),
-                ];
-                break;
-            default:
-                data[field.name] = form.get(field.name);
-        }
-    }
-    return data;
-}

package/dist/auth/admins.d.ts

@@ -1,33 +0,0 @@
-import type { Auth } from './config';
-import type { CairnUser } from './guard';
-export interface AdminsData {
-    admins: CairnUser[];
-    /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
-    self: string;
-    saved: boolean;
-    error: string | null;
-}
-/**
- * The privilege-escalation gate. better-auth's admin API also enforces this server-side (only
- * `owner` holds the admin statements), but checking `locals.user` here gives clean redirect/403
- * UX and lets the mutations guard self-lockout before calling the API. Returns the acting owner.
- */
-export declare function requireOwner(user: CairnUser | null): CairnUser;
-type Ev = {
-    locals: {
-        auth: Auth;
-        user: CairnUser | null;
-    };
-    request: Request;
-    url: URL;
-};
-/** List the allowlist for the manage-editors page. Owner-only. */
-export declare function adminsLoad(event: Ev): Promise<AdminsData>;
-/** Add an editor (create the user). Owner-only. */
-export declare function addAdmin(event: Ev): Promise<never>;
-/** Remove an editor (delete the user). Owner-only; owners can't remove themselves (anti-lockout). */
-export declare function removeAdmin(event: Ev): Promise<never>;
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export declare function setAdminRole(event: Ev): Promise<never>;
-export {};
-//# sourceMappingURL=admins.d.ts.map

package/dist/auth/admins.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"admins.d.ts","sourceRoot":"","sources":["../../src/lib/auth/admins.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,SAAS,EAAE,CAAC;IACpB,+EAA+E;IAC/E,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAID;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAI9D;AAED,KAAK,EAAE,GAAG;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAAA;KAAE,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AAgBzF,kEAAkE;AAClE,wBAAsB,UAAU,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAa/D;AAED,mDAAmD;AACnD,wBAAsB,QAAQ,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAYxD;AAED,qGAAqG;AACrG,wBAAsB,WAAW,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAW3D;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAc5D"}

package/dist/auth/admins.js

@@ -1,90 +0,0 @@
-// cairn-core: owner-gated editor management, on better-auth's admin API. The `user` table IS
-// the allowlist (disableSignUp ⇒ only listed emails can sign in), so add/remove editor = create/
-// remove user; role flips go through the admin plugin's access-control roles (owner/editor).
-// These run as SvelteKit form actions; each verifies the acting user is an owner first.
-import { redirect, error } from '@sveltejs/kit';
-const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
-/**
- * The privilege-escalation gate. better-auth's admin API also enforces this server-side (only
- * `owner` holds the admin statements), but checking `locals.user` here gives clean redirect/403
- * UX and lets the mutations guard self-lockout before calling the API. Returns the acting owner.
- */
-export function requireOwner(user) {
-    if (!user)
-        throw error(401, 'Not signed in');
-    if (user.role !== 'owner')
-        throw error(403, 'Owner access required');
-    return user;
-}
-function asCairnUser(u) {
-    return { id: u.id, email: u.email, name: u.name, role: u.role === 'owner' ? 'owner' : 'editor' };
-}
-/** Find an editor by exact (lowercased) email, or undefined. */
-async function findByEmail(event, email) {
-    const res = await event.locals.auth.api.listUsers({
-        query: { searchValue: email, searchField: 'email', limit: 100 },
-        headers: event.request.headers,
-    });
-    const match = (res.users ?? []).find((u) => u.email.toLowerCase() === email);
-    return match ? asCairnUser(match) : undefined;
-}
-/** List the allowlist for the manage-editors page. Owner-only. */
-export async function adminsLoad(event) {
-    const owner = requireOwner(event.locals.user);
-    const res = await event.locals.auth.api.listUsers({
-        query: { limit: 200 },
-        headers: event.request.headers,
-    });
-    const admins = (res.users ?? []).map(asCairnUser).sort((a, b) => a.email.localeCompare(b.email));
-    return {
-        admins,
-        self: owner.email,
-        saved: event.url.searchParams.get('saved') === '1',
-        error: event.url.searchParams.get('error'),
-    };
-}
-/** Add an editor (create the user). Owner-only. */
-export async function addAdmin(event) {
-    requireOwner(event.locals.user);
-    const form = await event.request.formData();
-    const email = String(form.get('email') ?? '').trim().toLowerCase();
-    const name = String(form.get('name') ?? '').trim();
-    const role = form.get('role') === 'owner' ? 'owner' : 'editor';
-    if (!EMAIL_RE.test(email) || !name) {
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
-    }
-    // No password: a magic-link-only user (no credential account), per better-auth's createUser.
-    await event.locals.auth.api.createUser({ body: { email, name, role }, headers: event.request.headers });
-    throw redirect(303, '/admin/admins?saved=1');
-}
-/** Remove an editor (delete the user). Owner-only; owners can't remove themselves (anti-lockout). */
-export async function removeAdmin(event) {
-    const owner = requireOwner(event.locals.user);
-    const form = await event.request.formData();
-    const email = String(form.get('email') ?? '').trim().toLowerCase();
-    if (email === owner.email) {
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
-    }
-    const target = await findByEmail(event, email);
-    if (!target)
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-    await event.locals.auth.api.removeUser({ body: { userId: target.id }, headers: event.request.headers });
-    throw redirect(303, '/admin/admins?saved=1');
-}
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export async function setAdminRole(event) {
-    const owner = requireOwner(event.locals.user);
-    const form = await event.request.formData();
-    const email = String(form.get('email') ?? '').trim().toLowerCase();
-    const role = form.get('role') === 'owner' ? 'owner' : 'editor';
-    if (email === owner.email && role !== 'owner') {
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
-    }
-    const target = await findByEmail(event, email);
-    if (!target)
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-    await event.locals.auth.api.setRole({ body: { userId: target.id, role }, headers: event.request.headers });
-    // M3: revoke a demoted editor's live sessions so the privilege drop takes effect immediately.
-    await event.locals.auth.api.revokeUserSessions({ body: { userId: target.id }, headers: event.request.headers });
-    throw redirect(303, '/admin/admins?saved=1');
-}