@glw907/cairn-cms 0.5.0 → 0.6.0-rc.0

package/src/lib/adapter.ts

@@ -1,119 +0,0 @@
-// cairn-core: the adapter contract each site implements.
-//
-// This is the single seam that lets one admin surface serve different designs. A site
-// supplies a `CairnAdapter` (see `src/lib/cairn.config.ts`) describing its backend repo,
-// its editable collections (folder + form fields + frontmatter validator), and its preview
-// plugin set. cairn-core never hard-codes a collection, tag, or directive; it reads them
-// from the adapter. Field descriptors are plain data so a load function can hand them to
-// the editor form across the server-to-client boundary.
-import type { PreviewPlugins } from './carta';
-import type { RepoRef } from './github';
-import type { ComponentRegistry } from './render';
-
-interface FieldBase {
-  /** Frontmatter key and form input name. */
-  name: string;
-  label: string;
-  required?: boolean;
-}
-
-export interface TextField extends FieldBase {
-  type: 'text';
-}
-export interface DateField extends FieldBase {
-  type: 'date';
-}
-export interface TextareaField extends FieldBase {
-  type: 'textarea';
-  rows?: number;
-}
-export interface BooleanField extends FieldBase {
-  type: 'boolean';
-}
-export interface TagsField extends FieldBase {
-  type: 'tags';
-  /** Controlled vocabulary rendered as checkboxes. */
-  options: readonly string[];
-}
-export interface FreeTagsField extends FieldBase {
-  type: 'freetags';
-  /** Free-form tags, edited as one comma-separated text input (no controlled vocabulary). */
-  placeholder?: string;
-}
-
-export type CairnField =
-  | TextField
-  | DateField
-  | TextareaField
-  | BooleanField
-  | TagsField
-  | FreeTagsField;
-
-export interface CairnCollection {
-  /** Route `[type]` segment and list key, e.g. `posts`. */
-  type: string;
-  label: string;
-  /** Repo-relative folder holding the collection's markdown files. */
-  dir: string;
-  /** Editor form fields, rendered in order. */
-  fields: CairnField[];
-  /** Validate raw frontmatter (from the form) into the on-disk object, throwing on error. */
-  validate(data: Record<string, unknown>, source: string): object;
-}
-
-export interface CairnAdapter {
-  /** Branding + magic-link email copy. */
-  siteName: string;
-  /** From: address for magic-link email (must be a domain-authenticated sender). */
-  sender: string;
-  /** The repository the admin reads content from and commits to. */
-  backend: RepoRef;
-  /** Site plugin set for the Carta preview (parity with the live render). */
-  preview: PreviewPlugins;
-  collections: CairnCollection[];
-  /**
-   * The site's component registry: the single declaration of its directive
-   * components (R10a). Rendering parity already flows through `preview`; this
-   * exposes the same registry so the editor's insert-component palette can read
-   * `registry.defs`. Optional: a site with no rich components (e.g. 907.life) may
-   * omit it or supply an empty registry.
-   */
-  registry?: ComponentRegistry;
-}
-
-/** Look up a collection by its route segment, or undefined if the segment is unknown. */
-export function findCollection(adapter: CairnAdapter, type: string): CairnCollection | undefined {
-  return adapter.collections.find((collection) => collection.type === type);
-}
-
-/** Read raw frontmatter from a submitted form, decoding each value per its field type. */
-export function frontmatterFromForm(
-  collection: CairnCollection,
-  form: FormData,
-): Record<string, unknown> {
-  const data: Record<string, unknown> = {};
-  for (const field of collection.fields) {
-    switch (field.type) {
-      case 'boolean':
-        data[field.name] = form.get(field.name) === 'on';
-        break;
-      case 'tags':
-        data[field.name] = form.getAll(field.name).map(String);
-        break;
-      case 'freetags':
-        // One comma-separated input → trimmed, de-duplicated, non-empty tags.
-        data[field.name] = [
-          ...new Set(
-            String(form.get(field.name) ?? '')
-              .split(',')
-              .map((tag) => tag.trim())
-              .filter(Boolean),
-          ),
-        ];
-        break;
-      default:
-        data[field.name] = form.get(field.name);
-    }
-  }
-  return data;
-}

package/src/lib/auth/admins.ts

@@ -1,106 +0,0 @@
-// cairn-core: owner-gated editor management, on better-auth's admin API. The `user` table IS
-// the allowlist (disableSignUp ⇒ only listed emails can sign in), so add/remove editor = create/
-// remove user; role flips go through the admin plugin's access-control roles (owner/editor).
-// These run as SvelteKit form actions; each verifies the acting user is an owner first.
-import { redirect, error } from '@sveltejs/kit';
-import type { Auth } from './config';
-import type { CairnUser } from './guard';
-
-export interface AdminsData {
-  admins: CairnUser[];
-  /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
-  self: string;
-  saved: boolean;
-  error: string | null;
-}
-
-const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
-
-/**
- * The privilege-escalation gate. better-auth's admin API also enforces this server-side (only
- * `owner` holds the admin statements), but checking `locals.user` here gives clean redirect/403
- * UX and lets the mutations guard self-lockout before calling the API. Returns the acting owner.
- */
-export function requireOwner(user: CairnUser | null): CairnUser {
-  if (!user) throw error(401, 'Not signed in');
-  if (user.role !== 'owner') throw error(403, 'Owner access required');
-  return user;
-}
-
-type Ev = { locals: { auth: Auth; user: CairnUser | null }; request: Request; url: URL };
-
-function asCairnUser(u: { id: string; email: string; name: string; role?: string | null }): CairnUser {
-  return { id: u.id, email: u.email, name: u.name, role: u.role === 'owner' ? 'owner' : 'editor' };
-}
-
-/** Find an editor by exact (lowercased) email, or undefined. */
-async function findByEmail(event: Ev, email: string): Promise<CairnUser | undefined> {
-  const res = await event.locals.auth.api.listUsers({
-    query: { searchValue: email, searchField: 'email', limit: 100 },
-    headers: event.request.headers,
-  });
-  const match = (res.users ?? []).find((u) => u.email.toLowerCase() === email);
-  return match ? asCairnUser(match) : undefined;
-}
-
-/** List the allowlist for the manage-editors page. Owner-only. */
-export async function adminsLoad(event: Ev): Promise<AdminsData> {
-  const owner = requireOwner(event.locals.user);
-  const res = await event.locals.auth.api.listUsers({
-    query: { limit: 200 },
-    headers: event.request.headers,
-  });
-  const admins = (res.users ?? []).map(asCairnUser).sort((a, b) => a.email.localeCompare(b.email));
-  return {
-    admins,
-    self: owner.email,
-    saved: event.url.searchParams.get('saved') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
-
-/** Add an editor (create the user). Owner-only. */
-export async function addAdmin(event: Ev): Promise<never> {
-  requireOwner(event.locals.user);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const name = String(form.get('name') ?? '').trim();
-  const role = form.get('role') === 'owner' ? 'owner' : 'editor';
-  if (!EMAIL_RE.test(email) || !name) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
-  }
-  // No password: a magic-link-only user (no credential account), per better-auth's createUser.
-  await event.locals.auth.api.createUser({ body: { email, name, role }, headers: event.request.headers });
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Remove an editor (delete the user). Owner-only; owners can't remove themselves (anti-lockout). */
-export async function removeAdmin(event: Ev): Promise<never> {
-  const owner = requireOwner(event.locals.user);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  if (email === owner.email) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
-  }
-  const target = await findByEmail(event, email);
-  if (!target) throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-  await event.locals.auth.api.removeUser({ body: { userId: target.id }, headers: event.request.headers });
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export async function setAdminRole(event: Ev): Promise<never> {
-  const owner = requireOwner(event.locals.user);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const role = form.get('role') === 'owner' ? 'owner' : 'editor';
-  if (email === owner.email && role !== 'owner') {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
-  }
-  const target = await findByEmail(event, email);
-  if (!target) throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-  await event.locals.auth.api.setRole({ body: { userId: target.id, role }, headers: event.request.headers });
-  // M3: revoke a demoted editor's live sessions so the privilege drop takes effect immediately.
-  await event.locals.auth.api.revokeUserSessions({ body: { userId: target.id }, headers: event.request.headers });
-  throw redirect(303, '/admin/admins?saved=1');
-}

package/src/lib/auth/config.ts

@@ -1,108 +0,0 @@
-// cairn-core: the better-auth instance. Auth is engine code (engine-fat rule), so the whole
-// config lives here: Drizzle/D1 adapter, magic-link (POST-confirm-shaped send), admin roles.
-// Instantiated PER REQUEST in hooks.server.ts (the D1 binding is request-scoped); the factory
-// is cheap (no I/O at construction).
-import { betterAuth } from 'better-auth';
-import { drizzleAdapter } from 'better-auth/adapters/drizzle';
-import { drizzle } from 'drizzle-orm/d1';
-import { magicLink, admin } from 'better-auth/plugins';
-import { createAccessControl } from 'better-auth/plugins/access';
-import { defaultStatements } from 'better-auth/plugins/admin/access';
-import type { D1Database } from '@cloudflare/workers-types';
-import { sendMagicLink, type EmailSender } from '../email';
-import * as schema from './schema';
-
-// Two-tier roles on the admin plugin's access-control system: `owner` holds every admin
-// statement (manage editors, revoke sessions); `editor` holds none (content-only). `adminRoles`
-// must name a role defined here, so owner (not the plugin's built-in `admin`) is the gate.
-const ac = createAccessControl(defaultStatements);
-const owner = ac.newRole(defaultStatements);
-const editor = ac.newRole({});
-
-/** Worker bindings + vars the auth layer reads (a structural subset of `Platform.env`). */
-export interface AuthEnv {
-  AUTH_DB?: D1Database;
-  AUTH_SECRET?: string;
-  /** Canonical origin; `BETTER_AUTH_URL` is accepted as a legacy alias. */
-  PUBLIC_ORIGIN?: string;
-  /** Legacy alias for `PUBLIC_ORIGIN`; `PUBLIC_ORIGIN` takes precedence when both are set. */
-  BETTER_AUTH_URL?: string;
-  EMAIL?: EmailSender;
-}
-
-/** Branding the magic-link email needs; threaded from the site adapter via hooks. */
-export interface AuthBranding {
-  siteName: string;
-  /** The `From:` address used when sending magic-link emails. */
-  sender: string;
-}
-
-/** The drizzle adapter result `betterAuth` consumes (same provider/schema everywhere). */
-type DrizzleDb = Parameters<typeof drizzleAdapter>[0];
-
-/**
- * The shared better-auth config. Kept separate from `createAuth` so the test harness can run
- * the EXACT plugin set (allowlist semantics, expiry, POST-confirm send) over an in-memory
- * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist:
- * magic-link never auto-creates, so the only way in is the owner-gated admin `createUser`
- * (see auth/admins.ts). `adminRoles:['owner']` lets owners (not the default `admin` role)
- * drive the admin API. Tokens are stored hashed and consumed atomically on first verify
- * (better-auth GHSA-hc7v-rggr-4hvx), single-use by construction (C1).
- */
-export function buildAuth(opts: {
-  database: DrizzleDb;
-  baseURL: string;
-  secret: string | undefined;
-  branding: AuthBranding;
-  sendLink: (email: string, token: string) => Promise<void>;
-}) {
-  return betterAuth({
-    appName: opts.branding.siteName,
-    secret: opts.secret,
-    baseURL: opts.baseURL,
-    trustedOrigins: [opts.baseURL],
-    database: opts.database,
-    plugins: [
-      magicLink({
-        disableSignUp: true,
-        expiresIn: 600,
-        storeToken: 'hashed',
-        sendMagicLink: async ({ email, token }, ctx) => {
-          // Allowlist gate: better-auth always fires this callback (even for unknown emails, to
-          // avoid enumeration) and only blocks user creation at verify. So gate the actual send
-          // here. Never email a non-editor. The login UI shows neutral copy either way, so this
-          // leaks nothing; it just stops strangers receiving a dead link.
-          const existing = await ctx?.context.internalAdapter.findUserByEmail(email);
-          if (!existing?.user) return;
-          await opts.sendLink(email, token);
-        },
-      }),
-      admin({ ac, roles: { owner, editor }, defaultRole: 'editor', adminRoles: ['owner'] }),
-    ],
-  });
-}
-
-/**
- * Build the per-request better-auth instance over the site's D1 binding. The magic-link email
- * points at OUR confirm page carrying only the token; consumption happens when the user clicks
- * "Confirm sign-in" there (a POST), never on a scanner GET (C2 / POST-confirm). The origin is
- * config-derived (`PUBLIC_ORIGIN`/`BETTER_AUTH_URL`), never request-derived (H3).
- */
-export function createAuth(env: AuthEnv, branding: AuthBranding) {
-  if (!env.AUTH_DB) throw new Error('AUTH_DB (D1) binding is required');
-  const origin = env.PUBLIC_ORIGIN || env.BETTER_AUTH_URL || 'http://localhost';
-  const db = drizzle(env.AUTH_DB, { schema });
-  return buildAuth({
-    database: drizzleAdapter(db, { provider: 'sqlite', schema }),
-    baseURL: origin,
-    secret: env.AUTH_SECRET,
-    branding,
-    sendLink: async (email, token) => {
-      if (!env.EMAIL) throw new Error('EMAIL binding is required to send magic links');
-      const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-      await sendMagicLink(env.EMAIL, email, link, branding.siteName, branding.sender);
-    },
-  });
-}
-
-export type Auth = ReturnType<typeof createAuth>;

package/src/lib/auth/guard.ts

@@ -1,60 +0,0 @@
-// cairn-core: server-side auth helpers the site route shims delegate to. Each takes the
-// SvelteKit event, typed structurally so the package never depends on a site's generated
-// `App.*` ambient types, plus the per-request `Auth` from `locals`.
-import { redirect } from '@sveltejs/kit';
-import type { Auth } from './config';
-
-/** The session shape the whole admin reads: layout, guards, content fns, manage-editors. */
-export interface CairnUser {
-  id: string;
-  email: string;
-  name: string;
-  role: 'owner' | 'editor';
-}
-
-/** Read the better-auth session into a cairn user (or null). */
-export async function loadSession(auth: Auth, request: Request): Promise<CairnUser | null> {
-  const session = await auth.api.getSession({ headers: request.headers });
-  if (!session?.user) return null;
-  const u = session.user as { id: string; email: string; name: string; role?: string | null };
-  return { id: u.id, email: u.email, name: u.name, role: u.role === 'owner' ? 'owner' : 'editor' };
-}
-
-export function requireSession(user: CairnUser | null): CairnUser {
-  if (!user) throw redirect(303, '/admin/login');
-  return user;
-}
-
-type ConfirmEvent = { request: Request; locals: { auth: Auth }; url: URL };
-
-/**
- * POST-confirm verification (C2). Invoked from the confirm page's POST action: proxies the
- * token to better-auth's GET verify endpoint via the per-request handler, then forwards the
- * resulting Set-Cookie(s) onto a 303 to /admin. Scanners GET the confirm *page* (nothing is
- * consumed); only this explicit POST consumes the token.
- */
-export async function confirmSignIn(event: ConfirmEvent): Promise<Response> {
-  const form = await event.request.formData();
-  const token = String(form.get('token') ?? '');
-  if (!token) throw redirect(303, '/admin/login?error=expired');
-
-  const verifyUrl = `${event.url.origin}/api/auth/magic-link/verify?token=${encodeURIComponent(token)}&callbackURL=/admin`;
-  const res = await event.locals.auth.handler(new Request(verifyUrl, { headers: event.request.headers }));
-  const cookies = res.headers.getSetCookie();
-  if (cookies.length === 0) throw redirect(303, '/admin/login?error=expired');
-
-  const headers = new Headers({ location: '/admin' });
-  for (const cookie of cookies) headers.append('set-cookie', cookie);
-  return new Response(null, { status: 303, headers });
-}
-
-/** Sign out via better-auth, forwarding the session-clearing cookies, then 303 to login. */
-export async function signOut(event: { request: Request; locals: { auth: Auth } }): Promise<Response> {
-  const origin = new URL(event.request.url).origin;
-  const res = await event.locals.auth.handler(
-    new Request(`${origin}/api/auth/sign-out`, { method: 'POST', headers: event.request.headers }),
-  );
-  const headers = new Headers({ location: '/admin/login' });
-  for (const cookie of res.headers.getSetCookie()) headers.append('set-cookie', cookie);
-  return new Response(null, { status: 303, headers });
-}

package/src/lib/auth/index.ts

@@ -1,6 +0,0 @@
-// Public surface of `@glw907/cairn-cms/auth`: the per-request factory + server-side helpers
-// the site route shims and hooks delegate to. The browser client is intentionally NOT here
-// (it lives component-local in LoginPage to keep better-auth's deep client types out of dist).
-export { createAuth, type Auth, type AuthEnv, type AuthBranding } from './config';
-export { loadSession, requireSession, confirmSignIn, signOut, type CairnUser } from './guard';
-export { adminsLoad, addAdmin, removeAdmin, setAdminRole, requireOwner, type AdminsData } from './admins';

package/src/lib/auth/schema.ts

@@ -1,112 +0,0 @@
-import { relations, sql } from "drizzle-orm";
-import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
-
-export const user = sqliteTable("user", {
-  id: text("id").primaryKey(),
-  name: text("name").notNull(),
-  email: text("email").notNull().unique(),
-  emailVerified: integer("email_verified", { mode: "boolean" })
-    .default(false)
-    .notNull(),
-  image: text("image"),
-  createdAt: integer("created_at", { mode: "timestamp_ms" })
-    .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
-    .notNull(),
-  updatedAt: integer("updated_at", { mode: "timestamp_ms" })
-    .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-  role: text("role"),
-  banned: integer("banned", { mode: "boolean" }).default(false),
-  banReason: text("ban_reason"),
-  banExpires: integer("ban_expires", { mode: "timestamp_ms" }),
-});
-
-export const session = sqliteTable(
-  "session",
-  {
-    id: text("id").primaryKey(),
-    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
-    token: text("token").notNull().unique(),
-    createdAt: integer("created_at", { mode: "timestamp_ms" })
-      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
-      .notNull(),
-    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
-      .$onUpdate(() => /* @__PURE__ */ new Date())
-      .notNull(),
-    ipAddress: text("ip_address"),
-    userAgent: text("user_agent"),
-    userId: text("user_id")
-      .notNull()
-      .references(() => user.id, { onDelete: "cascade" }),
-    impersonatedBy: text("impersonated_by"),
-  },
-  (table) => [index("session_userId_idx").on(table.userId)],
-);
-
-export const account = sqliteTable(
-  "account",
-  {
-    id: text("id").primaryKey(),
-    accountId: text("account_id").notNull(),
-    providerId: text("provider_id").notNull(),
-    userId: text("user_id")
-      .notNull()
-      .references(() => user.id, { onDelete: "cascade" }),
-    accessToken: text("access_token"),
-    refreshToken: text("refresh_token"),
-    idToken: text("id_token"),
-    accessTokenExpiresAt: integer("access_token_expires_at", {
-      mode: "timestamp_ms",
-    }),
-    refreshTokenExpiresAt: integer("refresh_token_expires_at", {
-      mode: "timestamp_ms",
-    }),
-    scope: text("scope"),
-    password: text("password"),
-    createdAt: integer("created_at", { mode: "timestamp_ms" })
-      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
-      .notNull(),
-    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
-      .$onUpdate(() => /* @__PURE__ */ new Date())
-      .notNull(),
-  },
-  (table) => [index("account_userId_idx").on(table.userId)],
-);
-
-export const verification = sqliteTable(
-  "verification",
-  {
-    id: text("id").primaryKey(),
-    identifier: text("identifier").notNull(),
-    value: text("value").notNull(),
-    expiresAt: integer("expires_at", { mode: "timestamp_ms" }).notNull(),
-    createdAt: integer("created_at", { mode: "timestamp_ms" })
-      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
-      .notNull(),
-    updatedAt: integer("updated_at", { mode: "timestamp_ms" })
-      .default(sql`(cast(unixepoch('subsecond') * 1000 as integer))`)
-      .$onUpdate(() => /* @__PURE__ */ new Date())
-      .notNull(),
-  },
-  (table) => [index("verification_identifier_idx").on(table.identifier)],
-);
-
-export const userRelations = relations(user, ({ many }) => ({
-  sessions: many(session),
-  accounts: many(account),
-}));
-
-export const sessionRelations = relations(session, ({ one }) => ({
-  user: one(user, {
-    fields: [session.userId],
-    references: [user.id],
-  }),
-}));
-
-export const accountRelations = relations(account, ({ one }) => ({
-  user: one(user, {
-    fields: [account.userId],
-    references: [user.id],
-  }),
-}));

package/src/lib/carta.ts

@@ -1,59 +0,0 @@
-// cairn-core: pure Carta options/transformer wiring for render-only preview.
-//
-// Plugins are passed in rather than imported; that seam is what the Pass D adapter formalises.
-// No `carta-md` import: its index re-exports Svelte components that the node test env
-// can't load. The Svelte component calls `new Carta(previewCartaOptions(...))` directly.
-import type { Pluggable, Processor } from 'unified';
-
-export interface PreviewPlugins {
-  /** remark plugins, injected after gfm and before remark-rehype. */
-  remarkPlugins: Pluggable[];
-  /** rehype plugins, injected after remark-rehype. */
-  rehypePlugins: Pluggable[];
-}
-
-interface PreviewTransformer {
-  execution: 'sync';
-  type: 'remark' | 'rehype';
-  transform: (ctx: { processor: Processor }) => void;
-}
-
-function phase(plugins: Pluggable[], type: PreviewTransformer['type']): PreviewTransformer[] {
-  return plugins.map((plugin) => ({
-    execution: 'sync',
-    type,
-    transform: ({ processor }) => {
-      processor.use([plugin]);
-    },
-  }));
-}
-
-/**
- * Map the site's plugin set to Carta sync transformers, remark phase before rehype.
- * Carta's processor is remarkParse → gfm → [remark] → remark-rehype → [rehype] → stringify,
- * so this ordering reproduces render.ts exactly. Pure (no Carta) so it is unit-testable.
- */
-export function previewTransformers({ remarkPlugins, rehypePlugins }: PreviewPlugins): PreviewTransformer[] {
-  return [...phase(remarkPlugins, 'remark'), ...phase(rehypePlugins, 'rehype')];
-}
-
-/** Minimal Options subset we populate (avoids importing carta-md, which re-exports Svelte components). */
-interface PreviewCartaOptions {
-  sanitizer: false;
-  rehypeOptions: { allowDangerousHtml: boolean };
-  extensions: Array<{ transformers: PreviewTransformer[] }>;
-}
-
-/**
- * Carta options for a render-only preview: site plugins wired in, raw HTML allowed, no
- * sanitizer. Authors are trusted and the directive pipeline emits intentional raw HTML
- * (render.ts uses allowDangerousHtml + rehype-raw); sanitizing here would strip EC
- * primitives. The Svelte component passes this to `new Carta(...)`.
- */
-export function previewCartaOptions(plugins: PreviewPlugins): PreviewCartaOptions {
-  return {
-    sanitizer: false,
-    rehypeOptions: { allowDangerousHtml: true },
-    extensions: [{ transformers: previewTransformers(plugins) }],
-  };
-}

package/src/lib/components/AdminList.svelte

@@ -1,33 +0,0 @@
-<script lang="ts">
-  // The /admin content list: every collection's files, linking into the editor. Data comes
-  // from `adminListLoad` (collections) merged with `adminLayoutLoad` (siteName). The shell
-  // (AdminLayout) owns the chrome (site title, signed-in identity, nav, sign out), so this
-  // page renders only the content body.
-  import type { AdminCollectionList } from '../sveltekit';
-
-  interface Props {
-    data: { collections: AdminCollectionList[] };
-  }
-  let { data }: Props = $props();
-</script>
-
-<h1 class="text-2xl font-bold">Content</h1>
-
-{#each data.collections as collection (collection.type)}
-  <section class="mt-8">
-    <h2 class="mb-3 text-lg font-semibold">{collection.label}</h2>
-    {#if collection.error}
-      <div class="alert alert-warning">Couldn't load {collection.label.toLowerCase()}: {collection.error}</div>
-    {:else if collection.files.length === 0}
-      <p class="opacity-60">No content yet.</p>
-    {:else}
-      <ul class="menu rounded-box border border-base-300 bg-base-100 p-2">
-        {#each collection.files as file (file.path)}
-          <li>
-            <a href="/admin/edit/{collection.type}/{file.id}">{file.id}</a>
-          </li>
-        {/each}
-      </ul>
-    {/if}
-  </section>
-{/each}