@glw907/cairn-cms 0.5.1 → 0.6.0-rc.0

package/src/lib/sveltekit/types.ts

@@ -0,0 +1,33 @@
+// Structural subsets of SvelteKit's RequestEvent. A site passes its real event, which has
+// these and more, so the engine never imports a site's generated App.* ambient types.
+import type { AuthEnv, Editor } from '../auth/types.js';
+
+export interface CookieSetOptions {
+  path: string;
+  httpOnly?: boolean;
+  secure?: boolean;
+  sameSite?: 'lax' | 'strict' | 'none';
+  maxAge?: number;
+}
+
+export interface CookieJar {
+  get(name: string): string | undefined;
+  set(name: string, value: string, opts: CookieSetOptions): void;
+  delete(name: string, opts: { path: string }): void;
+}
+
+export interface RequestContext {
+  url: URL;
+  request: Request;
+  cookies: CookieJar;
+  locals: { editor?: Editor | null };
+  platform?: { env?: AuthEnv };
+  // Required so a site cannot silently drop the confirm page's Referrer-Policy header
+  // (spec 7.1). A real SvelteKit RequestEvent always supplies it.
+  setHeaders(headers: Record<string, string>): void;
+}
+
+export interface HandleInput {
+  event: RequestContext;
+  resolve(event: RequestContext): Promise<Response> | Response;
+}

package/dist/adapter.d.ts

@@ -1,93 +0,0 @@
-import type { PreviewPlugins } from './carta';
-import type { RepoRef } from './github';
-import type { ComponentRegistry } from './render';
-interface FieldBase {
-    /** Frontmatter key and form input name. */
-    name: string;
-    label: string;
-    required?: boolean;
-}
-export interface TextField extends FieldBase {
-    type: 'text';
-}
-export interface DateField extends FieldBase {
-    type: 'date';
-}
-export interface TextareaField extends FieldBase {
-    type: 'textarea';
-    rows?: number;
-}
-export interface BooleanField extends FieldBase {
-    type: 'boolean';
-}
-export interface TagsField extends FieldBase {
-    type: 'tags';
-    /** Controlled vocabulary rendered as checkboxes. */
-    options: readonly string[];
-}
-export interface FreeTagsField extends FieldBase {
-    type: 'freetags';
-    /** Free-form tags, edited as one comma-separated text input (no controlled vocabulary). */
-    placeholder?: string;
-}
-export type CairnField = TextField | DateField | TextareaField | BooleanField | TagsField | FreeTagsField;
-export interface CairnCollection {
-    /** Route `[type]` segment and list key, e.g. `posts`. */
-    type: string;
-    label: string;
-    /**
-     * Editing shape. `story` (the default when absent) is a dated feed entry; `page` is a
-     * navigation-placed entry with a path-like slug and no date emphasis. Drives the create
-     * form and the editor header. Never gates editing capability: the palette and toolbar are
-     * available to both. (Pass K, R4.)
-     */
-    kind?: 'page' | 'story';
-    /** Repo-relative folder holding the collection's markdown files. */
-    dir: string;
-    /** Editor form fields, rendered in order. */
-    fields: CairnField[];
-    /** Validate raw frontmatter (from the form) into the on-disk object, throwing on error. */
-    validate(data: Record<string, unknown>, source: string): object;
-}
-/** A managed navigation menu, read from and committed to the site's YAML config file. */
-export interface NavMenuConfig {
-    /** Repo-relative path to the site-config YAML, e.g. 'src/lib/site.config.yaml'. */
-    configPath: string;
-    /** Key within the file's `menus` map, e.g. 'primary'. */
-    menuName: string;
-    /** Sidebar/admin label for the menu. */
-    label: string;
-    /** Max nesting depth allowed in the editor (1 = flat). Defaults to 2. */
-    maxDepth?: number;
-}
-export interface CairnAdapter {
-    /** Branding + magic-link email copy. */
-    siteName: string;
-    /** From: address for magic-link email (must be a domain-authenticated sender). */
-    sender: string;
-    /** The repository the admin reads content from and commits to. */
-    backend: RepoRef;
-    /** Site plugin set for the Carta preview (parity with the live render). */
-    preview: PreviewPlugins;
-    collections: CairnCollection[];
-    /**
-     * The site's component registry: the single declaration of its directive
-     * components (R10a). Rendering parity already flows through `preview`; this
-     * exposes the same registry so the editor's insert-component palette can read
-     * `registry.defs`. Optional: a site with no rich components (e.g. 907.life) may
-     * omit it or supply an empty registry.
-     */
-    registry?: ComponentRegistry;
-    /**
-     * The navigation menu this site manages from `/admin/nav` (R3/Pass L2). The menu lives in the
-     * site's git-committed YAML config (read at build time by the layout, committed back by the
-     * editor). Omit to hide the nav surface, the same opt-in shape as `registry`.
-     */
-    navMenu?: NavMenuConfig;
-}
-/** Look up a collection by its route segment, or undefined if the segment is unknown. */
-export declare function findCollection(adapter: CairnAdapter, type: string): CairnCollection | undefined;
-/** Read raw frontmatter from a submitted form, decoding each value per its field type. */
-export declare function frontmatterFromForm(collection: CairnCollection, form: FormData): Record<string, unknown>;
-export {};
-//# sourceMappingURL=adapter.d.ts.map

package/dist/adapter.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/lib/adapter.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAElD,UAAU,SAAS;IACjB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;CACd;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,MAAM,WAAW,YAAa,SAAQ,SAAS;IAC7C,IAAI,EAAE,SAAS,CAAC;CACjB;AACD,MAAM,WAAW,SAAU,SAAQ,SAAS;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;CAC5B;AACD,MAAM,WAAW,aAAc,SAAQ,SAAS;IAC9C,IAAI,EAAE,UAAU,CAAC;IACjB,2FAA2F;IAC3F,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,UAAU,GAClB,SAAS,GACT,SAAS,GACT,aAAa,GACb,YAAY,GACZ,SAAS,GACT,aAAa,CAAC;AAElB,MAAM,WAAW,eAAe;IAC9B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd;;;;;OAKG;IACH,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACxB,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;IACZ,6CAA6C;IAC7C,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CACjE;AAED,yFAAyF;AACzF,MAAM,WAAW,aAAa;IAC5B,mFAAmF;IACnF,UAAU,EAAE,MAAM,CAAC;IACnB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,yEAAyE;IACzE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,wCAAwC;IACxC,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,MAAM,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B;;;;OAIG;IACH,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB;AAED,yFAAyF;AACzF,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAE/F;AAED,0FAA0F;AAC1F,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,eAAe,EAC3B,IAAI,EAAE,QAAQ,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA0BzB"}

package/dist/adapter.js

@@ -1,30 +0,0 @@
-/** Look up a collection by its route segment, or undefined if the segment is unknown. */
-export function findCollection(adapter, type) {
-    return adapter.collections.find((collection) => collection.type === type);
-}
-/** Read raw frontmatter from a submitted form, decoding each value per its field type. */
-export function frontmatterFromForm(collection, form) {
-    const data = {};
-    for (const field of collection.fields) {
-        switch (field.type) {
-            case 'boolean':
-                data[field.name] = form.get(field.name) === 'on';
-                break;
-            case 'tags':
-                data[field.name] = form.getAll(field.name).map(String);
-                break;
-            case 'freetags':
-                // One comma-separated input → trimmed, de-duplicated, non-empty tags.
-                data[field.name] = [
-                    ...new Set(String(form.get(field.name) ?? '')
-                        .split(',')
-                        .map((tag) => tag.trim())
-                        .filter(Boolean)),
-                ];
-                break;
-            default:
-                data[field.name] = form.get(field.name);
-        }
-    }
-    return data;
-}

package/dist/auth/admins.d.ts

@@ -1,33 +0,0 @@
-import type { Auth } from './config';
-import type { CairnUser } from './guard';
-export interface AdminsData {
-    admins: CairnUser[];
-    /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
-    self: string;
-    saved: boolean;
-    error: string | null;
-}
-/**
- * The privilege-escalation gate. better-auth's admin API also enforces this server-side (only
- * `owner` holds the admin statements), but checking `locals.user` here gives clean redirect/403
- * UX and lets the mutations guard self-lockout before calling the API. Returns the acting owner.
- */
-export declare function requireOwner(user: CairnUser | null): CairnUser;
-type Ev = {
-    locals: {
-        auth: Auth;
-        user: CairnUser | null;
-    };
-    request: Request;
-    url: URL;
-};
-/** List the allowlist for the manage-editors page. Owner-only. */
-export declare function adminsLoad(event: Ev): Promise<AdminsData>;
-/** Add an editor (create the user). Owner-only. */
-export declare function addAdmin(event: Ev): Promise<never>;
-/** Remove an editor (delete the user). Owner-only; owners can't remove themselves (anti-lockout). */
-export declare function removeAdmin(event: Ev): Promise<never>;
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export declare function setAdminRole(event: Ev): Promise<never>;
-export {};
-//# sourceMappingURL=admins.d.ts.map

package/dist/auth/admins.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"admins.d.ts","sourceRoot":"","sources":["../../src/lib/auth/admins.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,SAAS,EAAE,CAAC;IACpB,+EAA+E;IAC/E,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAID;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAI9D;AAED,KAAK,EAAE,GAAG;IAAE,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAAA;KAAE,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AAgBzF,kEAAkE;AAClE,wBAAsB,UAAU,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAa/D;AAED,mDAAmD;AACnD,wBAAsB,QAAQ,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAYxD;AAED,qGAAqG;AACrG,wBAAsB,WAAW,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAW3D;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,KAAK,EAAE,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAc5D"}

package/dist/auth/admins.js

@@ -1,90 +0,0 @@
-// cairn-core: owner-gated editor management, on better-auth's admin API. The `user` table IS
-// the allowlist (disableSignUp ⇒ only listed emails can sign in), so add/remove editor = create/
-// remove user; role flips go through the admin plugin's access-control roles (owner/editor).
-// These run as SvelteKit form actions; each verifies the acting user is an owner first.
-import { redirect, error } from '@sveltejs/kit';
-const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
-/**
- * The privilege-escalation gate. better-auth's admin API also enforces this server-side (only
- * `owner` holds the admin statements), but checking `locals.user` here gives clean redirect/403
- * UX and lets the mutations guard self-lockout before calling the API. Returns the acting owner.
- */
-export function requireOwner(user) {
-    if (!user)
-        throw error(401, 'Not signed in');
-    if (user.role !== 'owner')
-        throw error(403, 'Owner access required');
-    return user;
-}
-function asCairnUser(u) {
-    return { id: u.id, email: u.email, name: u.name, role: u.role === 'owner' ? 'owner' : 'editor' };
-}
-/** Find an editor by exact (lowercased) email, or undefined. */
-async function findByEmail(event, email) {
-    const res = await event.locals.auth.api.listUsers({
-        query: { searchValue: email, searchField: 'email', limit: 100 },
-        headers: event.request.headers,
-    });
-    const match = (res.users ?? []).find((u) => u.email.toLowerCase() === email);
-    return match ? asCairnUser(match) : undefined;
-}
-/** List the allowlist for the manage-editors page. Owner-only. */
-export async function adminsLoad(event) {
-    const owner = requireOwner(event.locals.user);
-    const res = await event.locals.auth.api.listUsers({
-        query: { limit: 200 },
-        headers: event.request.headers,
-    });
-    const admins = (res.users ?? []).map(asCairnUser).sort((a, b) => a.email.localeCompare(b.email));
-    return {
-        admins,
-        self: owner.email,
-        saved: event.url.searchParams.get('saved') === '1',
-        error: event.url.searchParams.get('error'),
-    };
-}
-/** Add an editor (create the user). Owner-only. */
-export async function addAdmin(event) {
-    requireOwner(event.locals.user);
-    const form = await event.request.formData();
-    const email = String(form.get('email') ?? '').trim().toLowerCase();
-    const name = String(form.get('name') ?? '').trim();
-    const role = form.get('role') === 'owner' ? 'owner' : 'editor';
-    if (!EMAIL_RE.test(email) || !name) {
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
-    }
-    // No password: a magic-link-only user (no credential account), per better-auth's createUser.
-    await event.locals.auth.api.createUser({ body: { email, name, role }, headers: event.request.headers });
-    throw redirect(303, '/admin/admins?saved=1');
-}
-/** Remove an editor (delete the user). Owner-only; owners can't remove themselves (anti-lockout). */
-export async function removeAdmin(event) {
-    const owner = requireOwner(event.locals.user);
-    const form = await event.request.formData();
-    const email = String(form.get('email') ?? '').trim().toLowerCase();
-    if (email === owner.email) {
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
-    }
-    const target = await findByEmail(event, email);
-    if (!target)
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-    await event.locals.auth.api.removeUser({ body: { userId: target.id }, headers: event.request.headers });
-    throw redirect(303, '/admin/admins?saved=1');
-}
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export async function setAdminRole(event) {
-    const owner = requireOwner(event.locals.user);
-    const form = await event.request.formData();
-    const email = String(form.get('email') ?? '').trim().toLowerCase();
-    const role = form.get('role') === 'owner' ? 'owner' : 'editor';
-    if (email === owner.email && role !== 'owner') {
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
-    }
-    const target = await findByEmail(event, email);
-    if (!target)
-        throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-    await event.locals.auth.api.setRole({ body: { userId: target.id, role }, headers: event.request.headers });
-    // M3: revoke a demoted editor's live sessions so the privilege drop takes effect immediately.
-    await event.locals.auth.api.revokeUserSessions({ body: { userId: target.id }, headers: event.request.headers });
-    throw redirect(303, '/admin/admins?saved=1');
-}

package/dist/auth/capabilities.d.ts

@@ -1,7 +0,0 @@
-import type { CairnUser } from './guard';
-export type Capability = 'story:create' | 'story:edit' | 'page:edit' | 'page:create' | 'nav:manage' | 'user:manage';
-/** Does this user hold the capability? A signed-out (null) user holds nothing. */
-export declare function can(user: CairnUser | null, cap: Capability): boolean;
-/** Assert the capability for a route load/action: 401 when signed out, 403 when under-privileged. */
-export declare function requireCapability(user: CairnUser | null, cap: Capability): CairnUser;
-//# sourceMappingURL=capabilities.d.ts.map

package/dist/auth/capabilities.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"capabilities.d.ts","sourceRoot":"","sources":["../../src/lib/auth/capabilities.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,MAAM,MAAM,UAAU,GAClB,cAAc,GACd,YAAY,GACZ,WAAW,GACX,aAAa,GACb,YAAY,GACZ,aAAa,CAAC;AASlB,kFAAkF;AAClF,wBAAgB,GAAG,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAIpE;AAED,qGAAqG;AACrG,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,EAAE,UAAU,GAAG,SAAS,CAIpF"}

package/dist/auth/capabilities.js

@@ -1,26 +0,0 @@
-// cairn-core: capability checks. Management surfaces gate on a capability, not on a role name,
-// so the two-tier owner/editor model can grow finer capabilities (and a future role) additively.
-// Creating a page and changing the nav are structural acts, so they sit with owner; editing a
-// page's content and running the story feed are everyday editor work.
-import { error } from '@sveltejs/kit';
-// One source of truth. `'all'` means every capability; otherwise the explicit grant list. A future
-// `manager` role is one more row here, no call-site changes.
-const CAPS_BY_ROLE = {
-    owner: 'all',
-    editor: ['story:create', 'story:edit', 'page:edit'],
-};
-/** Does this user hold the capability? A signed-out (null) user holds nothing. */
-export function can(user, cap) {
-    if (!user)
-        return false;
-    const grants = CAPS_BY_ROLE[user.role];
-    return grants === 'all' || grants.includes(cap);
-}
-/** Assert the capability for a route load/action: 401 when signed out, 403 when under-privileged. */
-export function requireCapability(user, cap) {
-    if (!user)
-        throw error(401, 'Not signed in');
-    if (!can(user, cap))
-        throw error(403, 'You do not have permission to do that');
-    return user;
-}