@glw907/cairn-cms 0.5.0 → 0.6.0-rc.0

package/dist/github/signing.d.ts

@@ -0,0 +1,17 @@
+import type { AppCredentials } from './types.js';
+/** Mint a GitHub App JWT (RS256), valid ~9 min, with `iat` backdated for clock skew. */
+export declare function appJwt(appId: string, privateKeyPem: string): Promise<string>;
+/** Exchange the App JWT for a short-lived installation access token. */
+export declare function installationToken(creds: AppCredentials): Promise<string>;
+/**
+ * Deploy-time self-test for the App signer: sign a dummy JWT with the configured key. It
+ * exercises the brittle PKCS#1-to-PKCS#8 conversion and the Web Crypto import and sign with
+ * no network call and no secret in the result, so `/admin/healthz` (Plan 05) catches a bad
+ * or rotated key before an editor's save fails. The `detail` is a fixed classifier, never the
+ * raw crypto error, so the surfaced health result cannot echo key bytes. Never throws.
+ */
+export declare function signingSelfTest(appId: string, privateKeyB64: string): Promise<{
+    ok: boolean;
+    detail?: string;
+}>;
+//# sourceMappingURL=signing.d.ts.map

package/dist/github/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../src/lib/github/signing.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AA0CjD,wFAAwF;AACxF,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAclF;AAED,wEAAwE;AACxE,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAa9E;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAQrH"}

package/dist/github/signing.js

@@ -0,0 +1,79 @@
+const API = 'https://api.github.com';
+const encoder = new TextEncoder();
+/** Encode bytes as unpadded base64url (RFC 4648 §5), the JWT wire format. */
+function bytesToB64url(bytes) {
+    const binary = Array.from(bytes, (b) => String.fromCharCode(b)).join('');
+    return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replaceAll('=', '');
+}
+// TextEncoder/atob produce Uint8Arrays whose generic buffer type no longer satisfies Web
+// Crypto's BufferSource under strict lib types; hand the underlying ArrayBuffer over.
+function buf(bytes) {
+    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+}
+/** DER length octets for a value of `n` bytes (short form < 128, else long form). */
+function derLength(n) {
+    if (n < 0x80)
+        return [n];
+    const out = [];
+    for (let v = n; v > 0; v >>= 8)
+        out.unshift(v & 0xff);
+    return [0x80 | out.length, ...out];
+}
+// AlgorithmIdentifier for rsaEncryption (OID 1.2.840.113549.1.1.1) with NULL parameters.
+const RSA_ALG_ID = [0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00];
+/** Wrap a PKCS#1 RSAPrivateKey (DER) as PKCS#8 (the only RSA form Web Crypto importKey takes). */
+function pkcs1ToPkcs8(pkcs1) {
+    const octet = [0x04, ...derLength(pkcs1.length), ...pkcs1];
+    const body = [0x02, 0x01, 0x00, ...RSA_ALG_ID, ...octet];
+    return Uint8Array.from([0x30, ...derLength(body.length), ...body]);
+}
+/** Decode a PEM private key to PKCS#8 DER, converting from PKCS#1 (GitHub's format) if needed. */
+function pemToPkcs8(pem) {
+    const b64 = pem.replace(/-----[^-]+-----/g, '').replace(/\s+/g, '');
+    const der = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+    return pem.includes('RSA PRIVATE KEY') ? pkcs1ToPkcs8(der) : der;
+}
+/** Mint a GitHub App JWT (RS256), valid ~9 min, with `iat` backdated for clock skew. */
+export async function appJwt(appId, privateKeyPem) {
+    const now = Math.floor(Date.now() / 1000);
+    const header = bytesToB64url(encoder.encode(JSON.stringify({ alg: 'RS256', typ: 'JWT' })));
+    const payload = bytesToB64url(encoder.encode(JSON.stringify({ iat: now - 60, exp: now + 540, iss: appId })));
+    const signingInput = `${header}.${payload}`;
+    const key = await crypto.subtle.importKey('pkcs8', buf(pemToPkcs8(privateKeyPem)), { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['sign']);
+    const sig = await crypto.subtle.sign('RSASSA-PKCS1-v1_5', key, buf(encoder.encode(signingInput)));
+    return `${signingInput}.${bytesToB64url(new Uint8Array(sig))}`;
+}
+/** Exchange the App JWT for a short-lived installation access token. */
+export async function installationToken(creds) {
+    const jwt = await appJwt(creds.appId, atob(creds.privateKeyB64));
+    const res = await fetch(`${API}/app/installations/${creds.installationId}/access_tokens`, {
+        method: 'POST',
+        headers: {
+            Accept: 'application/vnd.github+json',
+            Authorization: `Bearer ${jwt}`,
+            'User-Agent': 'cairn-cms',
+            'X-GitHub-Api-Version': '2022-11-28',
+        },
+    });
+    if (!res.ok)
+        throw new Error(`GitHub installation token failed: ${res.status}`);
+    return (await res.json()).token;
+}
+/**
+ * Deploy-time self-test for the App signer: sign a dummy JWT with the configured key. It
+ * exercises the brittle PKCS#1-to-PKCS#8 conversion and the Web Crypto import and sign with
+ * no network call and no secret in the result, so `/admin/healthz` (Plan 05) catches a bad
+ * or rotated key before an editor's save fails. The `detail` is a fixed classifier, never the
+ * raw crypto error, so the surfaced health result cannot echo key bytes. Never throws.
+ */
+export async function signingSelfTest(appId, privateKeyB64) {
+    try {
+        const jwt = await appJwt(appId, atob(privateKeyB64));
+        if (jwt.split('.').length !== 3)
+            return { ok: false, detail: 'malformed JWT' };
+        return { ok: true };
+    }
+    catch {
+        return { ok: false, detail: 'key import or sign failed' };
+    }
+}

package/dist/github/types.d.ts

@@ -0,0 +1,35 @@
+/** Repo coordinates pinned to a branch: the structural subset of `BackendConfig` the read and commit paths need. */
+export interface RepoRef {
+    owner: string;
+    repo: string;
+    branch: string;
+}
+/** A markdown file in a concept directory. `id` is the filename without `.md`. */
+export interface RepoFile {
+    id: string;
+    name: string;
+    path: string;
+}
+/** A commit author: the signed-in editor (spec §7.4). The committer is left to the App. */
+export interface CommitAuthor {
+    name: string;
+    email: string;
+}
+/** What the App signer needs: the app id, the installation, and the base64 PEM secret. */
+export interface AppCredentials {
+    appId: string;
+    installationId: string;
+    /** The stored `GITHUB_APP_PRIVATE_KEY_B64`: base64 of the PEM, single line. */
+    privateKeyB64: string;
+}
+/**
+ * A concurrent edit lost the SHA race: the file changed between the read and the PUT, from
+ * another editor or the site's own CI. Thrown so the save fails safe (re-fetch and ask the
+ * editor to reapply) instead of surfacing a raw 409. Defined and caught inside the package
+ * so `instanceof` is reliable, unlike kit's `redirect`/`error` across the peer boundary.
+ */
+export declare class CommitConflictError extends Error {
+    readonly path: string;
+    constructor(path: string);
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/github/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/github/types.ts"],"names":[],"mappings":"AAMA,oHAAoH;AACpH,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,kFAAkF;AAClF,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,2FAA2F;AAC3F,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,0FAA0F;AAC1F,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,CAAC;IACvB,+EAA+E;IAC/E,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;GAKG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;aAChB,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM;CAIzC"}

package/dist/github/types.js

@@ -0,0 +1,19 @@
+// src/lib/github/types.ts
+// cairn-cms: the GitHub backend's plain data types and its one typed error. The backend
+// reads repo coordinates from the adapter's `BackendConfig` (spec §8); `RepoRef` is the
+// `{ owner, repo, branch }` subset, so `backend` is assignable wherever a `RepoRef` is
+// wanted with no conversion.
+/**
+ * A concurrent edit lost the SHA race: the file changed between the read and the PUT, from
+ * another editor or the site's own CI. Thrown so the save fails safe (re-fetch and ask the
+ * editor to reapply) instead of surfacing a raw 409. Defined and caught inside the package
+ * so `instanceof` is reliable, unlike kit's `redirect`/`error` across the peer boundary.
+ */
+export class CommitConflictError extends Error {
+    path;
+    constructor(path) {
+        super(`Commit conflict on ${path}: it changed since it was opened`);
+        this.path = path;
+        this.name = 'CommitConflictError';
+    }
+}

package/dist/index.d.ts

@@ -1,7 +1,28 @@
-export * from './email';
-export * from './github';
-export * from './carta';
-export * from './content';
-export * from './adapter';
-export * from './render';
+export { requireOrigin } from './env.js';
+export type { Role, Editor, AuthEnv } from './auth/types.js';
+export type { AuthBranding, MagicLinkMessage, SendMagicLink } from './email.js';
+export { buildMagicLinkMessage, cloudflareSend } from './email.js';
+export type { CairnAdapter, ConceptConfig, FrontmatterField, TextField, TextareaField, DateField, BooleanField, TagsField, FreeTagsField, ValidationResult, BackendConfig, SenderConfig, NavMenuConfig, AssetConfig, RoutingRule, ConceptDescriptor, CairnExtension, CairnRuntime, AdminPanel, FieldTypeDef, } from './content/types.js';
+export { CONCEPT_ROUTING, normalizeConcepts, findConcept } from './content/concepts.js';
+export { composeRuntime } from './content/compose.js';
+export { frontmatterFromForm, dateInputValue, serializeMarkdown, parseMarkdown, } from './content/frontmatter.js';
+export { validateFields } from './content/validate.js';
+export { isValidId, idFromFilename, filenameFromId, slugify } from './content/ids.js';
+export { defineRegistry } from './render/registry.js';
+export type { ComponentDef, ComponentRegistry } from './render/registry.js';
+export { glyph } from './render/glyph.js';
+export type { IconSet } from './render/glyph.js';
+export { remarkDirectiveStamp } from './render/remark-directives.js';
+export { rehypeDispatch, isElement, strProp, iconSpan, splitHead, cardShell, markFirstList, } from './render/rehype-dispatch.js';
+export type { MakeIcon } from './render/rehype-dispatch.js';
+export { createRenderer } from './render/pipeline.js';
+export type { RendererOptions } from './render/pipeline.js';
+export type { RepoRef, RepoFile, CommitAuthor, AppCredentials } from './github/types.js';
+export { CommitConflictError } from './github/types.js';
+export { appJwt, installationToken, signingSelfTest } from './github/signing.js';
+export { treeUrl, markdownFilesIn, listMarkdown, contentsUrl, readRaw, fileSha, commitFile, } from './github/repo.js';
+export { appCredentials } from './github/credentials.js';
+export type { GithubKeyEnv } from './github/credentials.js';
+export { parseSiteConfig, extractMenu, setMenu, validateNavTree, MAX_NAV_NODES, NavValidationError, SiteConfigError, } from './nav/site-config.js';
+export type { NavNode, SiteConfig } from './nav/site-config.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAEA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/lib/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC7D,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAGnE,YAAY,EACV,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,SAAS,EACT,YAAY,EACZ,SAAS,EACT,aAAa,EACb,gBAAgB,EAChB,aAAa,EACb,YAAY,EACZ,aAAa,EACb,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,UAAU,EACV,YAAY,GACb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACxF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,iBAAiB,EACjB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAC5E,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,YAAY,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EACL,cAAc,EACd,SAAS,EACT,OAAO,EACP,QAAQ,EACR,SAAS,EACT,SAAS,EACT,aAAa,GACd,MAAM,6BAA6B,CAAC;AACrC,YAAY,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,YAAY,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAG5D,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EACL,OAAO,EACP,eAAe,EACf,YAAY,EACZ,WAAW,EACX,OAAO,EACP,OAAO,EACP,UAAU,GACX,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,YAAY,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAG5D,OAAO,EACL,eAAe,EACf,WAAW,EACX,OAAO,EACP,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/index.js

@@ -1,8 +1,21 @@
-// cairn-cms public API. Consumers import content/email/github/adapter from 'cairn-cms';
-// auth (better-auth factory, guards, manage-editors) lives at the 'cairn-cms/auth' subpath.
-export * from './email';
-export * from './github';
-export * from './carta';
-export * from './content';
-export * from './adapter';
-export * from './render';
+// Engine entry. Auth landed in Plan 01, the content model and adapter in Plan 02, and the
+// GitHub read-and-commit backend in Plan 03; render and nav follow.
+export { requireOrigin } from './env.js';
+export { buildMagicLinkMessage, cloudflareSend } from './email.js';
+export { CONCEPT_ROUTING, normalizeConcepts, findConcept } from './content/concepts.js';
+export { composeRuntime } from './content/compose.js';
+export { frontmatterFromForm, dateInputValue, serializeMarkdown, parseMarkdown, } from './content/frontmatter.js';
+export { validateFields } from './content/validate.js';
+export { isValidId, idFromFilename, filenameFromId, slugify } from './content/ids.js';
+// Render engine (Plan 04): generic directive pipeline; sites own the component registry.
+export { defineRegistry } from './render/registry.js';
+export { glyph } from './render/glyph.js';
+export { remarkDirectiveStamp } from './render/remark-directives.js';
+export { rehypeDispatch, isElement, strProp, iconSpan, splitHead, cardShell, markFirstList, } from './render/rehype-dispatch.js';
+export { createRenderer } from './render/pipeline.js';
+export { CommitConflictError } from './github/types.js';
+export { appJwt, installationToken, signingSelfTest } from './github/signing.js';
+export { treeUrl, markdownFilesIn, listMarkdown, contentsUrl, readRaw, fileSha, commitFile, } from './github/repo.js';
+export { appCredentials } from './github/credentials.js';
+// Nav tree and site-config helpers (Plan 06).
+export { parseSiteConfig, extractMenu, setMenu, validateNavTree, MAX_NAV_NODES, NavValidationError, SiteConfigError, } from './nav/site-config.js';

package/dist/nav/site-config.d.ts

@@ -0,0 +1,50 @@
+/** One navigation node. An omitted or empty `url` is a label-only grouping header; no `children` is a leaf. */
+export interface NavNode {
+    label: string;
+    url?: string;
+    children?: NavNode[];
+}
+/** Total node cap across the whole tree, a guard against a runaway payload. */
+export declare const MAX_NAV_NODES = 200;
+/** Maximum character length for a node label. */
+export declare const MAX_LABEL_LENGTH = 500;
+/** Maximum character length for a node URL. */
+export declare const MAX_URL_LENGTH = 2048;
+export declare class NavValidationError extends Error {
+    constructor(message: string);
+}
+/**
+ * Validate and normalize an untrusted value into a NavNode[]: arrays only, non-empty labels, depth
+ * within `maxDepth` (1 is flat), a bounded node count, and only the three known keys kept. Throws
+ * NavValidationError on any violation. Used by navSave before writing.
+ */
+export declare function validateNavTree(value: unknown, maxDepth: number): NavNode[];
+/**
+ * Shape of the YAML site-config file. Unknown keys are ignored so the file can grow without an
+ * engine change. Read at build time by the public site.
+ */
+export interface SiteConfig {
+    siteName: string;
+    description?: string;
+    author?: string;
+    url?: string;
+    locale?: string;
+    /** Named navigation menus, each a NavNode[] (normalized by extractMenu). */
+    menus?: Record<string, unknown>;
+    [key: string]: unknown;
+}
+export declare class SiteConfigError extends Error {
+    constructor(message: string);
+}
+/** Parse the YAML site-config text into a typed object. Throws SiteConfigError on a malformed root. */
+export declare function parseSiteConfig(raw: string): SiteConfig;
+/** Extract one named menu from a parsed config and validate it. Returns [] when the menu is absent. */
+export declare function extractMenu(config: SiteConfig, name: string, maxDepth: number): NavNode[];
+/**
+ * Replace one named menu in the YAML site-config text and reserialize, preserving every other
+ * top-level key (siteName, other menus, settings). Parses into a Document so the rest of the file
+ * round-trips. YAML comments are not preserved (an accepted trade); data keys are. A leaf node
+ * serializes without `url`/`children` keys.
+ */
+export declare function setMenu(raw: string, name: string, tree: NavNode[]): string;
+//# sourceMappingURL=site-config.d.ts.map

package/dist/nav/site-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"site-config.d.ts","sourceRoot":"","sources":["../../src/lib/nav/site-config.ts"],"names":[],"mappings":"AAMA,+GAA+G;AAC/G,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAC;CACtB;AAED,+EAA+E;AAC/E,eAAO,MAAM,aAAa,MAAM,CAAC;AAEjC,iDAAiD;AACjD,eAAO,MAAM,gBAAgB,MAAM,CAAC;AAEpC,+CAA+C;AAC/C,eAAO,MAAM,cAAc,OAAO,CAAC;AAKnC,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA6B3E;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED,uGAAuG;AACvG,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAUvD;AAED,uGAAuG;AACvG,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAIzF;AAED;;;;;GAKG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,CAO1E"}

package/dist/nav/site-config.js

@@ -0,0 +1,100 @@
+// The navigation tree and its YAML site-config. A menu lives in the site's git-committed config
+// under `menus.<name>`, read at build time by the public layout and edited from /admin/nav, which
+// commits the file back through the GitHub-App pipeline. This module is pure: parse, validate, and
+// rewrite only. The engine returns data; each site renders the tree with its own markup.
+import { parse as parseYaml, parseDocument } from 'yaml';
+/** Total node cap across the whole tree, a guard against a runaway payload. */
+export const MAX_NAV_NODES = 200;
+/** Maximum character length for a node label. */
+export const MAX_LABEL_LENGTH = 500;
+/** Maximum character length for a node URL. */
+export const MAX_URL_LENGTH = 2048;
+/** Allowlist for safe URL schemes: site-relative, in-page anchors, http(s), mailto, and tel. */
+const SAFE_URL = /^(\/|#|https?:\/\/|mailto:|tel:)/i;
+export class NavValidationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'NavValidationError';
+    }
+}
+/**
+ * Validate and normalize an untrusted value into a NavNode[]: arrays only, non-empty labels, depth
+ * within `maxDepth` (1 is flat), a bounded node count, and only the three known keys kept. Throws
+ * NavValidationError on any violation. Used by navSave before writing.
+ */
+export function validateNavTree(value, maxDepth) {
+    let count = 0;
+    function walk(nodes, depth) {
+        if (!Array.isArray(nodes))
+            throw new NavValidationError('Navigation must be a list of items');
+        if (depth > maxDepth)
+            throw new NavValidationError(`Navigation is nested deeper than ${maxDepth} levels`);
+        return nodes.map((raw) => {
+            if (typeof raw !== 'object' || raw === null)
+                throw new NavValidationError('Each item must be an object');
+            const item = raw;
+            const label = typeof item.label === 'string' ? item.label.trim() : '';
+            if (!label)
+                throw new NavValidationError('Each item needs a label');
+            if (label.length > MAX_LABEL_LENGTH)
+                throw new NavValidationError('Label is too long (max 500 characters)');
+            if (++count > MAX_NAV_NODES)
+                throw new NavValidationError('Too many navigation items');
+            const node = { label };
+            if (typeof item.url === 'string' && item.url.trim()) {
+                const url = item.url.trim();
+                if (url.length > MAX_URL_LENGTH)
+                    throw new NavValidationError('URL is too long (max 2048 characters)');
+                if (!SAFE_URL.test(url))
+                    throw new NavValidationError('URL must start with /, #, http(s)://, mailto:, or tel:');
+                node.url = url;
+            }
+            if (item.children !== undefined) {
+                const children = walk(item.children, depth + 1);
+                if (children.length)
+                    node.children = children;
+            }
+            return node;
+        });
+    }
+    return walk(value, 1);
+}
+export class SiteConfigError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'SiteConfigError';
+    }
+}
+/** Parse the YAML site-config text into a typed object. Throws SiteConfigError on a malformed root. */
+export function parseSiteConfig(raw) {
+    const parsed = parseYaml(raw);
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+        throw new SiteConfigError('Site config must be a YAML mapping');
+    }
+    const { siteName } = parsed;
+    if (typeof siteName !== 'string' || !siteName.trim()) {
+        throw new SiteConfigError('Site config needs a siteName');
+    }
+    return parsed;
+}
+/** Extract one named menu from a parsed config and validate it. Returns [] when the menu is absent. */
+export function extractMenu(config, name, maxDepth) {
+    const menu = config.menus?.[name];
+    if (menu === undefined)
+        return [];
+    return validateNavTree(menu, maxDepth);
+}
+/**
+ * Replace one named menu in the YAML site-config text and reserialize, preserving every other
+ * top-level key (siteName, other menus, settings). Parses into a Document so the rest of the file
+ * round-trips. YAML comments are not preserved (an accepted trade); data keys are. A leaf node
+ * serializes without `url`/`children` keys.
+ */
+export function setMenu(raw, name, tree) {
+    const doc = parseDocument(raw);
+    if (doc.get('siteName') === undefined) {
+        throw new SiteConfigError('Site config must be a mapping with a siteName');
+    }
+    doc.setIn(['menus', name], tree);
+    return doc.toString();
+}

package/dist/render/glyph.d.ts

@@ -1,5 +1,5 @@
 import type { Element } from 'hast';
-/** A glyph name → SVG path-data map (the site owns the icon set). */
+/** A glyph name to SVG path-data map (the site owns the icon set). */
 export type IconSet = Record<string, string>;
 /** Inline SVG glyph as a real hast node: class ec-glyph, 256 viewBox, currentColor fill. */
 export declare function glyph(name: string, icons: IconSet): Element;

package/dist/render/glyph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"glyph.d.ts","sourceRoot":"","sources":["../../src/lib/render/glyph.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,qEAAqE;AACrE,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAE7C,4FAA4F;AAC5F,wBAAgB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAM3D"}
+{"version":3,"file":"glyph.d.ts","sourceRoot":"","sources":["../../src/lib/render/glyph.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,sEAAsE;AACtE,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAE7C,4FAA4F;AAC5F,wBAAgB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAM3D"}

package/dist/render/index.d.ts

@@ -1,6 +1,6 @@
-export * from './registry';
-export * from './glyph';
-export * from './remark-directives';
-export * from './rehype-dispatch';
-export * from './pipeline';
+export * from './registry.js';
+export * from './glyph.js';
+export * from './remark-directives.js';
+export * from './rehype-dispatch.js';
+export * from './pipeline.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/render/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/render/index.ts"],"names":[],"mappings":"AAGA,cAAc,YAAY,CAAC;AAC3B,cAAc,SAAS,CAAC;AACxB,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/render/index.ts"],"names":[],"mappings":"AAGA,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,wBAAwB,CAAC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,eAAe,CAAC"}

package/dist/render/index.js

@@ -1,8 +1,8 @@
-// cairn-cms render engine: a directive-driven markdown → HTML pipeline whose
+// cairn-cms render engine: a directive-driven markdown to HTML pipeline whose
 // component vocabulary is supplied by a site's component registry. The site owns the
 // component builders, class names, icon set, and CSS; the engine owns the machinery.
-export * from './registry';
-export * from './glyph';
-export * from './remark-directives';
-export * from './rehype-dispatch';
-export * from './pipeline';
+export * from './registry.js';
+export * from './glyph.js';
+export * from './remark-directives.js';
+export * from './rehype-dispatch.js';
+export * from './pipeline.js';

package/dist/render/pipeline.d.ts

@@ -1,12 +1,12 @@
 import { type PluggableList } from 'unified';
-import type { ComponentRegistry } from './registry';
+import type { ComponentRegistry } from './registry.js';
 export interface RendererOptions {
     /** A site's per-index motion formula for the top-level rise stagger
      *  (e.g. ecnordic's `(i) => '--rise:' + …`). Omit for no stagger. */
     rise?: (idx: number) => string;
 }
-/** Compose a site's render pipeline from its component registry: directive syntax →
- *  stamped markers → registry-built hast. Returns `renderMarkdown` plus the remark/
+/** Compose a site's render pipeline from its component registry: directive syntax to
+ *  stamped markers to registry-built hast. Returns `renderMarkdown` plus the remark/
  *  rehype plugin arrays (so the Carta editor preview can reuse the exact same set). */
 export declare function createRenderer(registry: ComponentRegistry, options?: RendererOptions): {
     remarkPlugins: PluggableList;

package/dist/render/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/lib/render/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAW,KAAK,aAAa,EAAE,MAAM,SAAS,CAAC;AAUtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,MAAM,WAAW,eAAe;IAC/B;yEACqE;IACrE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;CAC/B;AAED;;uFAEuF;AACvF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,GAAE,eAAoB;;;8BAavD,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;EAEzD"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/lib/render/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAW,KAAK,aAAa,EAAE,MAAM,SAAS,CAAC;AAUtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,WAAW,eAAe;IAC9B;yEACqE;IACrE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;CAChC;AAED;;uFAEuF;AACvF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,GAAE,eAAoB;;;8BAarD,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;EAE3D"}

package/dist/render/pipeline.js

@@ -6,10 +6,10 @@ import remarkRehype from 'remark-rehype';
 import rehypeRaw from 'rehype-raw';
 import rehypeSlug from 'rehype-slug';
 import rehypeStringify from 'rehype-stringify';
-import { remarkDirectiveStamp } from './remark-directives';
-import { rehypeDispatch } from './rehype-dispatch';
-/** Compose a site's render pipeline from its component registry: directive syntax →
- *  stamped markers → registry-built hast. Returns `renderMarkdown` plus the remark/
+import { remarkDirectiveStamp } from './remark-directives.js';
+import { rehypeDispatch } from './rehype-dispatch.js';
+/** Compose a site's render pipeline from its component registry: directive syntax to
+ *  stamped markers to registry-built hast. Returns `renderMarkdown` plus the remark/
  *  rehype plugin arrays (so the Carta editor preview can reuse the exact same set). */
 export function createRenderer(registry, options = {}) {
     const remarkPlugins = [remarkDirective, [remarkDirectiveStamp, registry]];

package/dist/render/registry.d.ts

@@ -11,7 +11,7 @@ export interface ComponentDef {
     insertTemplate: string;
     /** Build the final hast element from the stamped directive element. */
     build: (node: Element, rise?: string) => Element;
-    /** Optional role→default-icon (e.g. `{ caution: 'warning' }`). */
+    /** Optional role-to-default-icon, e.g. `{ caution: 'warning' }`. */
     defaultIconByRole?: Record<string, string>;
 }
 export interface ComponentRegistry {
@@ -20,9 +20,11 @@ export interface ComponentRegistry {
     get(name: string): ComponentDef | undefined;
     defaultIcon(name: string, role?: string): string | undefined;
 }
-/** Build a registry from a site's component definitions. The single source the
- *  render pipeline (directive stamp + rehype dispatch) and the editor palette read. */
-export declare function defineRegistry(input: {
+/**
+ * Build a registry from a site's component definitions. The single source the render
+ * pipeline (directive stamp plus rehype dispatch) and the editor palette both read.
+ */
+export declare function defineRegistry({ components }: {
     components: ComponentDef[];
 }): ComponentRegistry;
 //# sourceMappingURL=registry.d.ts.map

package/dist/render/registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/lib/render/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,6EAA6E;AAC7E,MAAM,WAAW,YAAY;IAC5B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sEAAsE;IACtE,cAAc,EAAE,MAAM,CAAC;IACvB,uEAAuE;IACvE,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IACjD,kEAAkE;IAClE,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C;AAED,MAAM,WAAW,iBAAiB;IACjC,IAAI,EAAE,YAAY,EAAE,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAAC;IAC5C,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC7D;AAED;uFACuF;AACvF,wBAAgB,cAAc,CAAC,KAAK,EAAE;IAAE,UAAU,EAAE,YAAY,EAAE,CAAA;CAAE,GAAG,iBAAiB,CAQvF"}
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/lib/render/registry.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,6EAA6E;AAC7E,MAAM,WAAW,YAAY;IAC3B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sEAAsE;IACtE,cAAc,EAAE,MAAM,CAAC;IACvB,uEAAuE;IACvE,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IACjD,oEAAoE;IACpE,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,YAAY,EAAE,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAAC;IAC5C,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC9D;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,EAAE,UAAU,EAAE,EAAE;IAAE,UAAU,EAAE,YAAY,EAAE,CAAA;CAAE,GAAG,iBAAiB,CAQhG"}

package/dist/render/registry.js

@@ -1,10 +1,12 @@
-/** Build a registry from a site's component definitions. The single source the
- *  render pipeline (directive stamp + rehype dispatch) and the editor palette read. */
-export function defineRegistry(input) {
-    const byName = new Map(input.components.map((c) => [c.name, c]));
+/**
+ * Build a registry from a site's component definitions. The single source the render
+ * pipeline (directive stamp plus rehype dispatch) and the editor palette both read.
+ */
+export function defineRegistry({ components }) {
+    const byName = new Map(components.map((c) => [c.name, c]));
     return {
-        defs: input.components,
-        names: input.components.map((c) => c.name),
+        defs: components,
+        names: components.map((c) => c.name),
         get: (name) => byName.get(name),
         defaultIcon: (name, role) => (role ? byName.get(name)?.defaultIconByRole?.[role] : undefined),
     };

package/dist/render/rehype-dispatch.d.ts

@@ -1,5 +1,5 @@
 import type { Root, Element, ElementContent } from 'hast';
-import type { ComponentRegistry } from './registry';
+import type { ComponentRegistry } from './registry.js';
 export declare function isElement(node: ElementContent | undefined): node is Element;
 export declare function strProp(node: Element, name: string): string | undefined;
 /** Wrap a pre-built glyph in an ec-icon span; secondary role adds the modifier. */

package/dist/render/rehype-dispatch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rehype-dispatch.d.ts","sourceRoot":"","sources":["../../src/lib/render/rehype-dispatch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAc,MAAM,MAAM,CAAC;AAEtE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,wBAAgB,SAAS,CAAC,IAAI,EAAE,cAAc,GAAG,SAAS,GAAG,IAAI,IAAI,OAAO,CAE3E;AAKD,wBAAgB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAGvE;AAED,mFAAmF;AACnF,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAGjE;AAED,kFAAkF;AAClF,MAAM,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;AAMhE,wBAAgB,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,cAAc,EAAE,CAAA;CAAE,CAYvG;AAED;0CAC0C;AAC1C,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,OAAO,CAItG;AAED;kFACkF;AAClF,wBAAgB,aAAa,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,OAAO,GAAG,SAAS,CAS7E;AAmBD;;;mFAGmF;AACnF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,IACjF,MAAM,IAAI,UAUlB"}
+{"version":3,"file":"rehype-dispatch.d.ts","sourceRoot":"","sources":["../../src/lib/render/rehype-dispatch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAc,MAAM,MAAM,CAAC;AAEtE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAEvD,wBAAgB,SAAS,CAAC,IAAI,EAAE,cAAc,GAAG,SAAS,GAAG,IAAI,IAAI,OAAO,CAE3E;AAKD,wBAAgB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAGvE;AAED,mFAAmF;AACnF,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAGjE;AAED,kFAAkF;AAClF,MAAM,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;AAMhE,wBAAgB,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,cAAc,EAAE,CAAA;CAAE,CAYvG;AAED;0CAC0C;AAC1C,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,OAAO,CAItG;AAED;kFACkF;AAClF,wBAAgB,aAAa,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,OAAO,GAAG,SAAS,CAS7E;AAmBD;;;mFAGmF;AACnF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,IAChF,MAAM,IAAI,UAUnB"}

package/dist/render/remark-directives.d.ts

@@ -1,4 +1,4 @@
 import type { Root } from 'mdast';
-import type { ComponentRegistry } from './registry';
+import type { ComponentRegistry } from './registry.js';
 export declare function remarkDirectiveStamp(registry: ComponentRegistry): (tree: Root) => void;
 //# sourceMappingURL=remark-directives.d.ts.map

package/dist/render/remark-directives.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"remark-directives.d.ts","sourceRoot":"","sources":["../../src/lib/render/remark-directives.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAA8B,IAAI,EAAQ,MAAM,OAAO,CAAC;AAGpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAmCpD,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,iBAAiB,IAEvD,MAAM,IAAI,UA8BlB"}
+{"version":3,"file":"remark-directives.d.ts","sourceRoot":"","sources":["../../src/lib/render/remark-directives.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAA8B,IAAI,EAAQ,MAAM,OAAO,CAAC;AAGpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAmCvD,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,iBAAiB,IAEtD,MAAM,IAAI,UA8BnB"}

package/dist/render/sanitize.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Sanitize rendered preview HTML before it reaches `{@html}`. Strips scripts, inline event
+ * handlers, and dangerous URL schemes (`javascript:`, `data:`) while keeping ordinary formatting.
+ * Also forces `rel="noopener noreferrer"` on any anchor with `target="_blank"` to prevent
+ * reverse-tabnabbing. Browser-only; resolves the same string DOMPurify would return.
+ */
+export declare function sanitizePreviewHtml(html: string): Promise<string>;
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/render/sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/lib/render/sanitize.ts"],"names":[],"mappings":"AAOA;;;;;GAKG;AACH,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAavE"}

package/dist/render/sanitize.js

@@ -0,0 +1,26 @@
+// The live preview's sanitize floor. Carta runs with `sanitizer: false` behind the MarkdownEditor
+// seam, so the admin preview pane is the one barrier between editor-authored markdown and the DOM.
+// DOMPurify needs a DOM, and the preview renders only in the browser after mount, so DOMPurify
+// loads through a dynamic import: the module never evaluates a DOM library on the Worker, and a
+// server import of this file pulls in nothing.
+let purify = null;
+/**
+ * Sanitize rendered preview HTML before it reaches `{@html}`. Strips scripts, inline event
+ * handlers, and dangerous URL schemes (`javascript:`, `data:`) while keeping ordinary formatting.
+ * Also forces `rel="noopener noreferrer"` on any anchor with `target="_blank"` to prevent
+ * reverse-tabnabbing. Browser-only; resolves the same string DOMPurify would return.
+ */
+export async function sanitizePreviewHtml(html) {
+    if (!purify) {
+        const mod = await import('dompurify');
+        purify = mod.default;
+        purify.addHook('afterSanitizeAttributes', (node) => {
+            if (node.tagName === 'A' && node.getAttribute('target') === '_blank') {
+                node.setAttribute('rel', 'noopener noreferrer');
+            }
+        });
+    }
+    // ADD_ATTR: ['target'] allows target="_blank" through so the afterSanitizeAttributes hook
+    // can enforce rel="noopener noreferrer" on those anchors before they reach the DOM.
+    return purify.sanitize(html, { ADD_ATTR: ['target'] });
+}