@glw907/cairn-cms 0.5.0 → 0.6.0-rc.0

package/dist/content/types.d.ts

@@ -0,0 +1,210 @@
+import type { ComponentRegistry } from '../render/registry.js';
+/** Common to every frontmatter field: the frontmatter key, the form label, and whether it is required. */
+interface FieldBase {
+    /** Frontmatter key and form input name. */
+    name: string;
+    /** Form label. */
+    label: string;
+    /** A required field fails validation when empty (spec §7.4). */
+    required?: boolean;
+}
+/** A single-line text input. */
+export interface TextField extends FieldBase {
+    type: 'text';
+}
+/** A multi-line text input. */
+export interface TextareaField extends FieldBase {
+    type: 'textarea';
+    /** Visible rows; the editor picks a default when omitted. */
+    rows?: number;
+}
+/** A `YYYY-MM-DD` date input. */
+export interface DateField extends FieldBase {
+    type: 'date';
+}
+/** A checkbox; absent means false. */
+export interface BooleanField extends FieldBase {
+    type: 'boolean';
+}
+/** A closed-vocabulary tag set, rendered as checkboxes (ecnordic). */
+export interface TagsField extends FieldBase {
+    type: 'tags';
+    /** The controlled vocabulary. */
+    options: readonly string[];
+}
+/** Free-form tags, edited as one comma-separated input (907). */
+export interface FreeTagsField extends FieldBase {
+    type: 'freetags';
+    placeholder?: string;
+}
+/**
+ * The discriminated union the per-concept frontmatter form is generated from. Adding a
+ * field type is one variant here plus one decode arm in `frontmatterFromForm` and one in
+ * `validateFields`.
+ */
+export type FrontmatterField = TextField | TextareaField | DateField | BooleanField | TagsField | FreeTagsField;
+/**
+ * A validator's verdict. On success it carries the normalized frontmatter to commit; on
+ * failure it carries field-keyed error messages (the empty key is a form-level error).
+ * Invalid input bounces to the form and never reaches git (spec §7.4).
+ */
+export type ValidationResult = {
+    ok: true;
+    data: Record<string, unknown>;
+} | {
+    ok: false;
+    errors: Record<string, string>;
+};
+/**
+ * Per-site configuration for one content concept (spec §8). Concept-fixed behavior such as
+ * routability is not here; it lives in the engine's routing table (`CONCEPT_ROUTING`).
+ */
+export interface ConceptConfig {
+    /** Repo-relative content directory, e.g. "src/content/posts". */
+    dir: string;
+    /** Sidebar label; defaults from the concept id when omitted. */
+    label?: string;
+    /** Drives the per-concept frontmatter form, in order. */
+    fields: FrontmatterField[];
+    /** Validate submitted frontmatter before any commit. */
+    validate(frontmatter: Record<string, unknown>, body: string): ValidationResult;
+}
+/** The GitHub App backend a site reads from and commits to (spec §8). Plain data the GitHub engine (Plan 03) consumes. */
+export interface BackendConfig {
+    owner: string;
+    repo: string;
+    /** Commit target, e.g. "main". */
+    branch: string;
+    appId: string;
+    installationId: string;
+}
+/** Magic-link sender identity for Cloudflare Email Sending. */
+export interface SenderConfig {
+    from: string;
+    replyTo?: string;
+}
+/** A git-committed YAML menu this site's nav editor manages (Plan 06). */
+export interface NavMenuConfig {
+    /** Repo-relative path to the site-config YAML, e.g. "src/lib/site.config.yaml". */
+    configPath: string;
+    /** Key within the file's menus map, e.g. "primary". */
+    menuName: string;
+    /** Sidebar label for the menu. */
+    label: string;
+    /** Max nesting depth allowed in the editor; defaults to 2. */
+    maxDepth?: number;
+}
+/** Reserved asset slot (seam 4). Typed and unused in the rebuild; R7/R9 read it later with no contract change. */
+export interface AssetConfig {
+    /** Repo-relative asset roots, e.g. ["static/images"]. */
+    roots: string[];
+    /** Public URL base, e.g. "/images". */
+    publicBase: string;
+}
+/** The single seam the engine consumes. A site implements this at `src/lib/cairn.config.ts`. */
+export interface CairnAdapter {
+    siteName: string;
+    /**
+     * Which content concepts this site enables. A future `fragments?` key attaches here with
+     * no reshape of the contract (seam 1). A site never has two of the same concept.
+     */
+    content: {
+        posts?: ConceptConfig;
+        pages?: ConceptConfig;
+    };
+    backend: BackendConfig;
+    sender: SenderConfig;
+    /** Design-accurate preview: the same render pipeline the site ships. */
+    renderPreview(md: string): string | Promise<string>;
+    /** Directive component registry; the renderer and the future palette derive from it (seam 3). */
+    registry?: ComponentRegistry;
+    navMenu?: NavMenuConfig;
+    assets?: AssetConfig;
+}
+/**
+ * Concept-fixed routing for a normalized concept (spec §7.2). Posts are dated feed entries;
+ * pages are plain navigable structure. Not in adapter config.
+ */
+export interface RoutingRule {
+    /** Routable as a standalone URL. A future Fragments concept is embedded, not routable. */
+    routable: boolean;
+    /** Carries a date (posts). */
+    dated: boolean;
+    /** Appears in feeds and the sitemap (posts). */
+    inFeeds: boolean;
+}
+/**
+ * The engine-internal, uniform view of one concept after normalization (seam 1). The admin
+ * nav, the list views, and the editor all read this, never the raw config.
+ */
+export interface ConceptDescriptor {
+    /** Concept id, the key under `content`, e.g. "posts". */
+    id: string;
+    label: string;
+    dir: string;
+    routing: RoutingRule;
+    fields: FrontmatterField[];
+    validate(frontmatter: Record<string, unknown>, body: string): ValidationResult;
+}
+/**
+ * A site-defined admin screen contributed by an extension (Mode 2). It gains a sidebar entry, the
+ * `/admin` guard, and the session, and may commit through the same GitHub pipeline. The dispatch
+ * route is built in Plan 09; the `load`/`actions`/`component` members are typed loosely here and
+ * tightened when the machinery lands.
+ */
+export interface AdminPanel {
+    /** Routes under `/admin/<id>`; also the sidebar key. */
+    id: string;
+    /** Sidebar label. */
+    label: string;
+    /** Owner-gated, like editor management. */
+    owner?: boolean;
+    /** Server load, behind the guard. Typed in Plan 09. */
+    load?: (event: unknown) => unknown;
+    /** Named form actions, which may use the commit pipeline. Typed in Plan 09. */
+    actions?: Record<string, (event: unknown) => Promise<unknown>>;
+    /** The panel UI, rendered inside the admin shell. Typed as a component in Plan 09. */
+    component: unknown;
+}
+/**
+ * A custom frontmatter field type contributed by an extension (Mode 2): a renderer plus a validator
+ * dispatched alongside the built-in field union. The renderer and validator are typed in Plan 09
+ * when the form dispatch becomes a registry; the `type` key reserves the discriminator now.
+ */
+export interface FieldTypeDef {
+    /** The field-type discriminator, e.g. "color". */
+    type: string;
+}
+/**
+ * A future build-time extension (seam 2). It folds in the same way the adapter does and
+ * contributes the same kinds of things. Reserved and unused in the rebuild; the shape is
+ * fixed now so the extension contract is additive later.
+ */
+export interface CairnExtension {
+    /** Additional concepts, merged after the adapter's. */
+    content?: Record<string, ConceptConfig>;
+    /** Site-defined admin panels (Mode 2). Carried onto the runtime now; dispatched in Plan 09. */
+    adminPanels?: AdminPanel[];
+    /** Custom field types (Mode 2). Carried onto the runtime now; dispatched in Plan 09. */
+    fieldTypes?: FieldTypeDef[];
+}
+/**
+ * The composed runtime the engine serves from (seam 2 output). The single aggregation point
+ * (`composeRuntime`) folds the adapter and any extensions into this shape.
+ */
+export interface CairnRuntime {
+    siteName: string;
+    concepts: ConceptDescriptor[];
+    backend: BackendConfig;
+    sender: SenderConfig;
+    renderPreview(md: string): string | Promise<string>;
+    registry?: ComponentRegistry;
+    navMenu?: NavMenuConfig;
+    assets?: AssetConfig;
+    /** Admin panels contributed by extensions (Mode 2). Empty until Plan 09 wires the dispatch route. */
+    adminPanels?: AdminPanel[];
+    /** Field types contributed by extensions (Mode 2). Empty until Plan 09 wires the form dispatch. */
+    fieldTypes?: FieldTypeDef[];
+}
+export {};
+//# sourceMappingURL=types.d.ts.map

package/dist/content/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/content/types.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE/D,0GAA0G;AAC1G,UAAU,SAAS;IACjB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,kBAAkB;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,gEAAgE;IAChE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,gCAAgC;AAChC,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,+BAA+B;AAC/B,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,6DAA6D;IAC7D,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,iCAAiC;AACjC,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,sCAAsC;AACtC,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,IAAI,EAAE,SAAS,CAAC;CACjB;AACD,sEAAsE;AACtE,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AACD,iEAAiE;AACjE,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GACxB,SAAS,GACT,aAAa,GACb,SAAS,GACT,YAAY,GACZ,SAAS,GACT,aAAa,CAAC;AAElB;;;;GAIG;AACH,MAAM,MAAM,gBAAgB,GACxB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAC3C;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,CAAC;AAElD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,iEAAiE;IACjE,GAAG,EAAE,MAAM,CAAC;IACZ,gEAAgE;IAChE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,yDAAyD;IACzD,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,wDAAwD;IACxD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,gBAAgB,CAAC;CAChF;AAED,0HAA0H;AAC1H,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,+DAA+D;AAC/D,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,0EAA0E;AAC1E,MAAM,WAAW,aAAa;IAC5B,mFAAmF;IACnF,UAAU,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,QAAQ,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,kHAAkH;AAClH,MAAM,WAAW,WAAW;IAC1B,yDAAyD;IACzD,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,uCAAuC;IACvC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,gGAAgG;AAChG,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,OAAO,EAAE;QACP,KAAK,CAAC,EAAE,aAAa,CAAC;QACtB,KAAK,CAAC,EAAE,aAAa,CAAC;KACvB,CAAC;IACF,OAAO,EAAE,aAAa,CAAC;IACvB,MAAM,EAAE,YAAY,CAAC;IACrB,wEAAwE;IACxE,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACpD,iGAAiG;IACjG,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,0FAA0F;IAC1F,QAAQ,EAAE,OAAO,CAAC;IAClB,8BAA8B;IAC9B,KAAK,EAAE,OAAO,CAAC;IACf,gDAAgD;IAChD,OAAO,EAAE,OAAO,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,yDAAyD;IACzD,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,WAAW,CAAC;IACrB,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,gBAAgB,CAAC;CAChF;AAED;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,wDAAwD;IACxD,EAAE,EAAE,MAAM,CAAC;IACX,qBAAqB;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,uDAAuD;IACvD,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC;IACnC,+EAA+E;IAC/E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/D,sFAAsF;IACtF,SAAS,EAAE,OAAO,CAAC;CACpB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,kDAAkD;IAClD,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,uDAAuD;IACvD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACxC,+FAA+F;IAC/F,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,wFAAwF;IACxF,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,OAAO,EAAE,aAAa,CAAC;IACvB,MAAM,EAAE,YAAY,CAAC;IACrB,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACpD,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,qGAAqG;IACrG,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,mGAAmG;IACnG,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC;CAC7B"}

package/dist/content/types.js

@@ -0,0 +1 @@
+export {};

package/dist/content/validate.d.ts

@@ -0,0 +1,13 @@
+import type { FrontmatterField, ValidationResult } from './types.js';
+/**
+ * Validate raw frontmatter against a field list. Required text and date fields must be
+ * non-empty; required tag fields must be non-empty lists. Booleans coerce to `true`/`false`
+ * and tag fields to string arrays. Returns the normalized data, or field-keyed errors when
+ * any required field is empty.
+ *
+ * Frontmatter may arrive from the edit form (all string values) or from `parseMarkdown`,
+ * where gray-matter turns an unquoted YAML date into a JS `Date`. The `date` case coerces a
+ * `Date` to `YYYY-MM-DD` so a valid parsed date is not mistaken for an empty one.
+ */
+export declare function validateFields(fields: FrontmatterField[], frontmatter: Record<string, unknown>): ValidationResult;
+//# sourceMappingURL=validate.d.ts.map

package/dist/content/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/lib/content/validate.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGrE;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,gBAAgB,EAAE,EAC1B,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,gBAAgB,CA8BlB"}

package/dist/content/validate.js

@@ -0,0 +1,45 @@
+import { dateInputValue } from './frontmatter.js';
+/**
+ * Validate raw frontmatter against a field list. Required text and date fields must be
+ * non-empty; required tag fields must be non-empty lists. Booleans coerce to `true`/`false`
+ * and tag fields to string arrays. Returns the normalized data, or field-keyed errors when
+ * any required field is empty.
+ *
+ * Frontmatter may arrive from the edit form (all string values) or from `parseMarkdown`,
+ * where gray-matter turns an unquoted YAML date into a JS `Date`. The `date` case coerces a
+ * `Date` to `YYYY-MM-DD` so a valid parsed date is not mistaken for an empty one.
+ */
+export function validateFields(fields, frontmatter) {
+    const data = {};
+    const errors = {};
+    for (const field of fields) {
+        const value = frontmatter[field.name];
+        switch (field.type) {
+            case 'boolean':
+                data[field.name] = value === true;
+                break;
+            case 'tags':
+            case 'freetags': {
+                const list = Array.isArray(value) ? value.map(String) : [];
+                if (field.required && list.length === 0)
+                    errors[field.name] = `${field.label} is required`;
+                data[field.name] = list;
+                break;
+            }
+            case 'date': {
+                const text = value instanceof Date ? dateInputValue(value) : typeof value === 'string' ? value.trim() : '';
+                if (field.required && text === '')
+                    errors[field.name] = `${field.label} is required`;
+                data[field.name] = text;
+                break;
+            }
+            default: {
+                const text = typeof value === 'string' ? value.trim() : '';
+                if (field.required && text === '')
+                    errors[field.name] = `${field.label} is required`;
+                data[field.name] = text;
+            }
+        }
+    }
+    return Object.keys(errors).length > 0 ? { ok: false, errors } : { ok: true, data };
+}

package/dist/email.d.ts

@@ -1,14 +1,27 @@
-/** Cloudflare Email Sending binding surface (the object-form `send`, not the MIME form). */
-export interface EmailSender {
-    send(message: {
-        to: string;
-        from: string;
-        subject: string;
-        text?: string;
-        html?: string;
-    }): Promise<{
-        messageId: string;
-    }>;
+import type { AuthEnv } from './auth/types.js';
+export type { AuthEnv };
+/** The message a built magic-link email carries. */
+export interface MagicLinkMessage {
+    to: string;
+    from: string;
+    subject: string;
+    html: string;
+    text: string;
 }
-export declare function sendMagicLink(sender: EmailSender, to: string, link: string, siteName: string, from: string): Promise<void>;
+/** Per-site identity for the magic-link email, sourced from the adapter. */
+export interface AuthBranding {
+    siteName: string;
+    from: string;
+    replyTo?: string;
+}
+/** The injected send. Production uses `cloudflareSend`; tests pass a sink. */
+export type SendMagicLink = (env: AuthEnv, message: MagicLinkMessage) => Promise<void>;
+/** Build the confirmation email. The link is the only action; the copy stays plain. */
+export declare function buildMagicLinkMessage(input: {
+    to: string;
+    branding: AuthBranding;
+    link: string;
+}): MagicLinkMessage;
+/** The production send: Cloudflare Email Sending through the EMAIL binding. */
+export declare const cloudflareSend: SendMagicLink;
 //# sourceMappingURL=email.d.ts.map

package/dist/email.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../src/lib/email.ts"],"names":[],"mappings":"AAQA,4FAA4F;AAC5F,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,OAAO,EAAE;QACZ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpC;AAED,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAgBf"}
+{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../src/lib/email.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE/C,YAAY,EAAE,OAAO,EAAE,CAAC;AAExB,oDAAoD;AACpD,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,4EAA4E;AAC5E,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,8EAA8E;AAC9E,MAAM,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAYvF,uFAAuF;AACvF,wBAAgB,qBAAqB,CAAC,KAAK,EAAE;IAC3C,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,YAAY,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;CACd,GAAG,gBAAgB,CAQnB;AAED,+EAA+E;AAC/E,eAAO,MAAM,cAAc,EAAE,aAG5B,CAAC"}

package/dist/email.js

@@ -1,25 +1,25 @@
-// cairn-core: pluggable magic-link email sender.
-//
-// The default adapter targets Cloudflare Email Service (Email Sending, transactional,
-// arbitrary recipients), distinct from Email Routing's recipient-restricted `EmailMessage`
-// flow. Both share the same `send_email` binding (configured without a destination_address)
-// but use a different call shape: `binding.send({ to, from, ... })`.
-// Resend can slot in behind the same `sendMagicLink` signature if needed.
-export async function sendMagicLink(sender, to, link, siteName, from) {
-    const expiry = "This link expires in 10 minutes and works only once. If you didn't request it, ignore this email.";
-    try {
-        await sender.send({
-            to,
-            from,
-            subject: `Your ${siteName} sign-in link`,
-            text: `Sign in to ${siteName}:\n\n${link}\n\n${expiry}`,
-            html: `<p>Sign in to ${siteName}:</p><p><a href="${link}">Confirm sign-in</a></p><p style="color:#666;font-size:0.9em">${expiry}</p>`,
-        });
-    }
-    catch (err) {
-        // H6: Email Sending is beta + the sole auth channel. Surface + audit; a Resend fallback
-        // can slot in behind this same signature if Sending proves unreliable.
-        console.error(`magic-link email send failed for ${to}:`, err);
-        throw err;
-    }
+/** Escape the five HTML-significant characters. */
+function escapeHtml(value) {
+    return value
+        .replaceAll('&', '&amp;')
+        .replaceAll('<', '&lt;')
+        .replaceAll('>', '&gt;')
+        .replaceAll('"', '&quot;')
+        .replaceAll("'", '&#39;');
 }
+/** Build the confirmation email. The link is the only action; the copy stays plain. */
+export function buildMagicLinkMessage(input) {
+    const { to, branding, link } = input;
+    const subject = `Sign in to ${branding.siteName}`;
+    const text = `Open this link to sign in to ${branding.siteName}:\n\n${link}\n\nThe link expires in 10 minutes. If you did not request it, ignore this email.`;
+    // `link` is engine-built and url-safe; `siteName` is site config, so escape it for HTML.
+    const name = escapeHtml(branding.siteName);
+    const html = `<p>Open this link to sign in to ${name}:</p><p><a href="${link}">Sign in</a></p><p>The link expires in 10 minutes. If you did not request it, ignore this email.</p>`;
+    return { to, from: branding.from, subject, html, text };
+}
+/** The production send: Cloudflare Email Sending through the EMAIL binding. */
+export const cloudflareSend = async (env, message) => {
+    if (!env.EMAIL)
+        throw new Error('EMAIL binding is not configured');
+    await env.EMAIL.send(message);
+};

package/dist/env.d.ts

@@ -0,0 +1,24 @@
+import type { D1Database } from '@cloudflare/workers-types';
+/**
+ * Returns the site's public origin from configuration.
+ *
+ * The origin is always config-derived, never read from a request header, so a
+ * forged Host header cannot redirect a magic link (spec 7.1, risk H3).
+ *
+ * @throws Error when `PUBLIC_ORIGIN` is unset or empty.
+ */
+export declare function requireOrigin(env: {
+    PUBLIC_ORIGIN?: string;
+}): string;
+/**
+ * Returns the `AUTH_DB` binding, or throws a clear error when a site has not wired it.
+ *
+ * The handlers read D1 off `event.platform.env`; without this a misconfigured binding
+ * surfaces as a raw `TypeError` deep in a store call. This gives the failure a name.
+ *
+ * @throws Error when `AUTH_DB` is missing.
+ */
+export declare function requireDb(env: {
+    AUTH_DB?: D1Database;
+}): D1Database;
+//# sourceMappingURL=env.d.ts.map

package/dist/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/lib/env.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE;IAAE,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAMrE;AAED;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE;IAAE,OAAO,CAAC,EAAE,UAAU,CAAA;CAAE,GAAG,UAAU,CAKnE"}

package/dist/env.js

@@ -0,0 +1,29 @@
+/**
+ * Returns the site's public origin from configuration.
+ *
+ * The origin is always config-derived, never read from a request header, so a
+ * forged Host header cannot redirect a magic link (spec 7.1, risk H3).
+ *
+ * @throws Error when `PUBLIC_ORIGIN` is unset or empty.
+ */
+export function requireOrigin(env) {
+    const origin = env.PUBLIC_ORIGIN;
+    if (!origin) {
+        throw new Error('PUBLIC_ORIGIN is not configured');
+    }
+    return origin;
+}
+/**
+ * Returns the `AUTH_DB` binding, or throws a clear error when a site has not wired it.
+ *
+ * The handlers read D1 off `event.platform.env`; without this a misconfigured binding
+ * surfaces as a raw `TypeError` deep in a store call. This gives the failure a name.
+ *
+ * @throws Error when `AUTH_DB` is missing.
+ */
+export function requireDb(env) {
+    if (!env.AUTH_DB) {
+        throw new Error('AUTH_DB binding is not configured');
+    }
+    return env.AUTH_DB;
+}

package/dist/github/credentials.d.ts

@@ -0,0 +1,12 @@
+import type { BackendConfig } from '../content/types.js';
+import type { AppCredentials } from './types.js';
+/** The Worker secret holding the GitHub App private key: base64 of the PEM, single line. */
+export interface GithubKeyEnv {
+    GITHUB_APP_PRIVATE_KEY_B64?: string;
+}
+/**
+ * Assemble the `AppCredentials` the signer needs from the adapter's `backend` (app id,
+ * installation) and the Worker's private-key secret. Throws when the secret is unset.
+ */
+export declare function appCredentials(backend: Pick<BackendConfig, 'appId' | 'installationId'>, env: GithubKeyEnv): AppCredentials;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/github/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/lib/github/credentials.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,4FAA4F;AAC5F,MAAM,WAAW,YAAY;IAC3B,0BAA0B,CAAC,EAAE,MAAM,CAAC;CACrC;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,IAAI,CAAC,aAAa,EAAE,OAAO,GAAG,gBAAgB,CAAC,EACxD,GAAG,EAAE,YAAY,GAChB,cAAc,CAMhB"}

package/dist/github/credentials.js

@@ -0,0 +1,11 @@
+/**
+ * Assemble the `AppCredentials` the signer needs from the adapter's `backend` (app id,
+ * installation) and the Worker's private-key secret. Throws when the secret is unset.
+ */
+export function appCredentials(backend, env) {
+    const privateKeyB64 = env.GITHUB_APP_PRIVATE_KEY_B64;
+    if (!privateKeyB64) {
+        throw new Error('GITHUB_APP_PRIVATE_KEY_B64 is not configured');
+    }
+    return { appId: backend.appId, installationId: backend.installationId, privateKeyB64 };
+}

package/dist/github/repo.d.ts

@@ -0,0 +1,49 @@
+import type { CommitAuthor, RepoFile, RepoRef } from './types.js';
+/** The recursive Git Trees API URL for the configured branch. */
+export declare function treeUrl(repo: RepoRef): string;
+/** A Git Trees API entry: a full repo path and whether it is a blob or a subtree. */
+interface TreeEntry {
+    path: string;
+    type: string;
+}
+/**
+ * Markdown files directly in `dir`, newest id first. Tree entries carry full repo paths, so
+ * the directory prefix is stripped to a basename before deriving the id. Nested files, non
+ * markdown, and other directories are dropped.
+ */
+export declare function markdownFilesIn(dir: string, tree: TreeEntry[]): RepoFile[];
+/**
+ * List the markdown files in a concept directory through the Git Trees API. A truncated tree
+ * (GitHub caps the recursive listing near 100,000 entries) throws rather than returning a
+ * silent partial list; a concept directory sits far below that, and sharding is deferred
+ * until one approaches it (spec §7.3).
+ */
+export declare function listMarkdown(repo: RepoRef, dir: string, token?: string): Promise<RepoFile[]>;
+/** The contents-API URL for a repo path, pinned to the configured branch. */
+export declare function contentsUrl(repo: RepoRef, path: string): string;
+/**
+ * Fetch a file's raw markdown, or null if it does not exist. The contents API caps a raw
+ * read at 1 MB; a concept's files sit far below that, and sharding is deferred until one
+ * approaches it (spec §7.3).
+ */
+export declare function readRaw(repo: RepoRef, path: string, token?: string): Promise<string | null>;
+/** The current blob sha for a path, or null if the file does not yet exist. */
+export declare function fileSha(repo: RepoRef, path: string, token: string): Promise<string | null>;
+/**
+ * Commit `content` to `path` on the configured branch through the contents API. The author is
+ * the editor; the committer is omitted, so GitHub attributes it to the App (`cairn-cms[bot]`).
+ * Updates the file in place when it exists (passing its sha), creates it otherwise. Returns the
+ * commit sha. A stale-sha 409 (someone committed in between) becomes a `CommitConflictError`,
+ * so the save fails safe: re-fetch and ask the editor to reapply, never a merge.
+ *
+ * Caller preconditions this layer cannot enforce, and the save action (Plan 05) must:
+ * `path` is confined to the concept's configured directory (the App token can write anywhere
+ * in the repo, so an unvalidated path could overwrite CI config or source), and `author` is
+ * derived from the verified server-side session, never from request input.
+ */
+export declare function commitFile(repo: RepoRef, path: string, content: string, opts: {
+    message: string;
+    author: CommitAuthor;
+}, token: string): Promise<string>;
+export {};
+//# sourceMappingURL=repo.d.ts.map

package/dist/github/repo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"repo.d.ts","sourceRoot":"","sources":["../../src/lib/github/repo.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAelE,iEAAiE;AACjE,wBAAgB,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,CAE7C;AAED,qFAAqF;AACrF,UAAU,SAAS;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAOD;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,CAW1E;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,CAMlG;AAED,6EAA6E;AAC7E,wBAAgB,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKjG;AAOD,+EAA+E;AAC/E,wBAAsB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKhG;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,OAAO,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,EAC/C,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,CAiBjB"}

package/dist/github/repo.js

@@ -0,0 +1,123 @@
+// src/lib/github/repo.ts
+// cairn-cms: repo reads and the commit, over the GitHub REST API. Listing a concept
+// directory uses the Git Trees API (the contents API silently truncates at 1,000 entries,
+// spec §7.3); a single-file read uses the contents API. An optional token lifts reads to
+// the authenticated rate limit and unlocks private repos; ecnordic's repo is public, 907's
+// is not.
+import { idFromFilename } from '../content/ids.js';
+import { CommitConflictError } from './types.js';
+const API = 'https://api.github.com';
+/** Standard GitHub API headers, with a bearer token when one is supplied. */
+function ghHeaders(accept, token) {
+    const headers = {
+        Accept: accept,
+        'User-Agent': 'cairn-cms',
+        'X-GitHub-Api-Version': '2022-11-28',
+    };
+    if (token)
+        headers.Authorization = `Bearer ${token}`;
+    return headers;
+}
+/** The recursive Git Trees API URL for the configured branch. */
+export function treeUrl(repo) {
+    return `${API}/repos/${repo.owner}/${repo.repo}/git/trees/${encodeURIComponent(repo.branch)}?recursive=1`;
+}
+/** The basename of a repo path: the segment after the last slash. */
+function basename(path) {
+    return path.slice(path.lastIndexOf('/') + 1);
+}
+/**
+ * Markdown files directly in `dir`, newest id first. Tree entries carry full repo paths, so
+ * the directory prefix is stripped to a basename before deriving the id. Nested files, non
+ * markdown, and other directories are dropped.
+ */
+export function markdownFilesIn(dir, tree) {
+    const clean = dir.replace(/^\/+|\/+$/g, '');
+    const prefix = `${clean}/`;
+    return tree
+        .filter((entry) => entry.type === 'blob' && entry.path.startsWith(prefix) && entry.path.endsWith('.md'))
+        .filter((entry) => !entry.path.slice(prefix.length).includes('/'))
+        .map((entry) => {
+        const name = basename(entry.path);
+        return { id: idFromFilename(name), name, path: entry.path };
+    })
+        .sort((a, b) => b.id.localeCompare(a.id));
+}
+/**
+ * List the markdown files in a concept directory through the Git Trees API. A truncated tree
+ * (GitHub caps the recursive listing near 100,000 entries) throws rather than returning a
+ * silent partial list; a concept directory sits far below that, and sharding is deferred
+ * until one approaches it (spec §7.3).
+ */
+export async function listMarkdown(repo, dir, token) {
+    const res = await fetch(treeUrl(repo), { headers: ghHeaders('application/vnd.github+json', token) });
+    if (!res.ok)
+        throw new Error(`GitHub tree ${repo.branch} failed: ${res.status}`);
+    const body = (await res.json());
+    if (body.truncated)
+        throw new Error(`GitHub tree ${repo.branch} is truncated; ${dir} exceeds the listing cap`);
+    return markdownFilesIn(dir, body.tree);
+}
+/** The contents-API URL for a repo path, pinned to the configured branch. */
+export function contentsUrl(repo, path) {
+    const clean = path.replace(/^\/+|\/+$/g, '');
+    return `${API}/repos/${repo.owner}/${repo.repo}/contents/${clean}?ref=${encodeURIComponent(repo.branch)}`;
+}
+/**
+ * Fetch a file's raw markdown, or null if it does not exist. The contents API caps a raw
+ * read at 1 MB; a concept's files sit far below that, and sharding is deferred until one
+ * approaches it (spec §7.3).
+ */
+export async function readRaw(repo, path, token) {
+    const res = await fetch(contentsUrl(repo, path), { headers: ghHeaders('application/vnd.github.raw', token) });
+    if (res.status === 404)
+        return null;
+    if (!res.ok)
+        throw new Error(`GitHub read ${path} failed: ${res.status}`);
+    return res.text();
+}
+/** Standard (padded) base64 of UTF-8 text, the form the contents API expects. */
+function toBase64(text) {
+    return btoa(Array.from(new TextEncoder().encode(text), (b) => String.fromCharCode(b)).join(''));
+}
+/** The current blob sha for a path, or null if the file does not yet exist. */
+export async function fileSha(repo, path, token) {
+    const res = await fetch(contentsUrl(repo, path), { headers: ghHeaders('application/vnd.github+json', token) });
+    if (res.status === 404)
+        return null;
+    if (!res.ok)
+        throw new Error(`GitHub stat ${path} failed: ${res.status}`);
+    return (await res.json()).sha;
+}
+/**
+ * Commit `content` to `path` on the configured branch through the contents API. The author is
+ * the editor; the committer is omitted, so GitHub attributes it to the App (`cairn-cms[bot]`).
+ * Updates the file in place when it exists (passing its sha), creates it otherwise. Returns the
+ * commit sha. A stale-sha 409 (someone committed in between) becomes a `CommitConflictError`,
+ * so the save fails safe: re-fetch and ask the editor to reapply, never a merge.
+ *
+ * Caller preconditions this layer cannot enforce, and the save action (Plan 05) must:
+ * `path` is confined to the concept's configured directory (the App token can write anywhere
+ * in the repo, so an unvalidated path could overwrite CI config or source), and `author` is
+ * derived from the verified server-side session, never from request input.
+ */
+export async function commitFile(repo, path, content, opts, token) {
+    const sha = await fileSha(repo, path, token);
+    const url = `${API}/repos/${repo.owner}/${repo.repo}/contents/${path.replace(/^\/+|\/+$/g, '')}`;
+    const res = await fetch(url, {
+        method: 'PUT',
+        headers: { ...ghHeaders('application/vnd.github+json', token), 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            message: opts.message,
+            content: toBase64(content),
+            branch: repo.branch,
+            author: opts.author,
+            ...(sha ? { sha } : {}),
+        }),
+    });
+    if (res.status === 409)
+        throw new CommitConflictError(path);
+    if (!res.ok)
+        throw new Error(`GitHub commit ${path} failed: ${res.status} ${await res.text()}`);
+    return (await res.json()).commit.sha;
+}