@glw907/cairn-cms 0.5.1 → 0.6.0-rc.0

package/dist/{nav.js → nav/site-config.js}

@@ -1,10 +1,16 @@
-// cairn-core: the navigation tree. A menu lives in the site's git-committed `site.config.yaml`
-// under `menus.<name>`, read at build time by the public layout and edited from `/admin/nav`,
-// which commits the file back through the GitHub-App pipeline. The engine returns data only; each
-// site renders the tree with its own header markup.
+// The navigation tree and its YAML site-config. A menu lives in the site's git-committed config
+// under `menus.<name>`, read at build time by the public layout and edited from /admin/nav, which
+// commits the file back through the GitHub-App pipeline. This module is pure: parse, validate, and
+// rewrite only. The engine returns data; each site renders the tree with its own markup.
 import { parse as parseYaml, parseDocument } from 'yaml';
 /** Total node cap across the whole tree, a guard against a runaway payload. */
 export const MAX_NAV_NODES = 200;
+/** Maximum character length for a node label. */
+export const MAX_LABEL_LENGTH = 500;
+/** Maximum character length for a node URL. */
+export const MAX_URL_LENGTH = 2048;
+/** Allowlist for safe URL schemes: site-relative, in-page anchors, http(s), mailto, and tel. */
+const SAFE_URL = /^(\/|#|https?:\/\/|mailto:|tel:)/i;
 export class NavValidationError extends Error {
     constructor(message) {
         super(message);
@@ -12,9 +18,9 @@ export class NavValidationError extends Error {
     }
 }
 /**
- * Validate and normalize an untrusted value into a NavNode[]: arrays only, non-empty labels,
- * depth within `maxDepth` (1 = flat), bounded node count, and only the three known keys kept.
- * Throws NavValidationError on any violation. Used by `navSave` before writing.
+ * Validate and normalize an untrusted value into a NavNode[]: arrays only, non-empty labels, depth
+ * within `maxDepth` (1 is flat), a bounded node count, and only the three known keys kept. Throws
+ * NavValidationError on any violation. Used by navSave before writing.
  */
 export function validateNavTree(value, maxDepth) {
     let count = 0;
@@ -30,11 +36,19 @@ export function validateNavTree(value, maxDepth) {
             const label = typeof item.label === 'string' ? item.label.trim() : '';
             if (!label)
                 throw new NavValidationError('Each item needs a label');
+            if (label.length > MAX_LABEL_LENGTH)
+                throw new NavValidationError('Label is too long (max 500 characters)');
             if (++count > MAX_NAV_NODES)
                 throw new NavValidationError('Too many navigation items');
             const node = { label };
-            if (typeof item.url === 'string' && item.url.trim())
-                node.url = item.url.trim();
+            if (typeof item.url === 'string' && item.url.trim()) {
+                const url = item.url.trim();
+                if (url.length > MAX_URL_LENGTH)
+                    throw new NavValidationError('URL is too long (max 2048 characters)');
+                if (!SAFE_URL.test(url))
+                    throw new NavValidationError('URL must start with /, #, http(s)://, mailto:, or tel:');
+                node.url = url;
+            }
             if (item.children !== undefined) {
                 const children = walk(item.children, depth + 1);
                 if (children.length)
@@ -71,10 +85,10 @@ export function extractMenu(config, name, maxDepth) {
     return validateNavTree(menu, maxDepth);
 }
 /**
- * Replace one named menu in the YAML site-config text and re-serialize, preserving every other
- * top-level key (siteName, other menus, settings, ...). The `/admin/nav` editor commits the result.
- * Parses into a Document so the rest of the file round-trips; YAML comments are not preserved
- * (an accepted trade), but data keys are. A leaf node serializes without `url`/`children` keys.
+ * Replace one named menu in the YAML site-config text and reserialize, preserving every other
+ * top-level key (siteName, other menus, settings). Parses into a Document so the rest of the file
+ * round-trips. YAML comments are not preserved (an accepted trade); data keys are. A leaf node
+ * serializes without `url`/`children` keys.
  */
 export function setMenu(raw, name, tree) {
     const doc = parseDocument(raw);

package/dist/render/glyph.d.ts

@@ -1,5 +1,5 @@
 import type { Element } from 'hast';
-/** A glyph name → SVG path-data map (the site owns the icon set). */
+/** A glyph name to SVG path-data map (the site owns the icon set). */
 export type IconSet = Record<string, string>;
 /** Inline SVG glyph as a real hast node: class ec-glyph, 256 viewBox, currentColor fill. */
 export declare function glyph(name: string, icons: IconSet): Element;

package/dist/render/glyph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"glyph.d.ts","sourceRoot":"","sources":["../../src/lib/render/glyph.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,qEAAqE;AACrE,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAE7C,4FAA4F;AAC5F,wBAAgB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAM3D"}
+{"version":3,"file":"glyph.d.ts","sourceRoot":"","sources":["../../src/lib/render/glyph.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,sEAAsE;AACtE,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAE7C,4FAA4F;AAC5F,wBAAgB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAM3D"}

package/dist/render/index.d.ts

@@ -1,6 +1,6 @@
-export * from './registry';
-export * from './glyph';
-export * from './remark-directives';
-export * from './rehype-dispatch';
-export * from './pipeline';
+export * from './registry.js';
+export * from './glyph.js';
+export * from './remark-directives.js';
+export * from './rehype-dispatch.js';
+export * from './pipeline.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/render/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/render/index.ts"],"names":[],"mappings":"AAGA,cAAc,YAAY,CAAC;AAC3B,cAAc,SAAS,CAAC;AACxB,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/render/index.ts"],"names":[],"mappings":"AAGA,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,wBAAwB,CAAC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,eAAe,CAAC"}

package/dist/render/index.js

@@ -1,8 +1,8 @@
-// cairn-cms render engine: a directive-driven markdown → HTML pipeline whose
+// cairn-cms render engine: a directive-driven markdown to HTML pipeline whose
 // component vocabulary is supplied by a site's component registry. The site owns the
 // component builders, class names, icon set, and CSS; the engine owns the machinery.
-export * from './registry';
-export * from './glyph';
-export * from './remark-directives';
-export * from './rehype-dispatch';
-export * from './pipeline';
+export * from './registry.js';
+export * from './glyph.js';
+export * from './remark-directives.js';
+export * from './rehype-dispatch.js';
+export * from './pipeline.js';

package/dist/render/pipeline.d.ts

@@ -1,12 +1,12 @@
 import { type PluggableList } from 'unified';
-import type { ComponentRegistry } from './registry';
+import type { ComponentRegistry } from './registry.js';
 export interface RendererOptions {
     /** A site's per-index motion formula for the top-level rise stagger
      *  (e.g. ecnordic's `(i) => '--rise:' + …`). Omit for no stagger. */
     rise?: (idx: number) => string;
 }
-/** Compose a site's render pipeline from its component registry: directive syntax →
- *  stamped markers → registry-built hast. Returns `renderMarkdown` plus the remark/
+/** Compose a site's render pipeline from its component registry: directive syntax to
+ *  stamped markers to registry-built hast. Returns `renderMarkdown` plus the remark/
  *  rehype plugin arrays (so the Carta editor preview can reuse the exact same set). */
 export declare function createRenderer(registry: ComponentRegistry, options?: RendererOptions): {
     remarkPlugins: PluggableList;

package/dist/render/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/lib/render/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAW,KAAK,aAAa,EAAE,MAAM,SAAS,CAAC;AAUtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,MAAM,WAAW,eAAe;IAC/B;yEACqE;IACrE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;CAC/B;AAED;;uFAEuF;AACvF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,GAAE,eAAoB;;;8BAavD,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;EAEzD"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/lib/render/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAW,KAAK,aAAa,EAAE,MAAM,SAAS,CAAC;AAUtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,WAAW,eAAe;IAC9B;yEACqE;IACrE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC;CAChC;AAED;;uFAEuF;AACvF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,GAAE,eAAoB;;;8BAarD,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;EAE3D"}

package/dist/render/pipeline.js

@@ -6,10 +6,10 @@ import remarkRehype from 'remark-rehype';
 import rehypeRaw from 'rehype-raw';
 import rehypeSlug from 'rehype-slug';
 import rehypeStringify from 'rehype-stringify';
-import { remarkDirectiveStamp } from './remark-directives';
-import { rehypeDispatch } from './rehype-dispatch';
-/** Compose a site's render pipeline from its component registry: directive syntax →
- *  stamped markers → registry-built hast. Returns `renderMarkdown` plus the remark/
+import { remarkDirectiveStamp } from './remark-directives.js';
+import { rehypeDispatch } from './rehype-dispatch.js';
+/** Compose a site's render pipeline from its component registry: directive syntax to
+ *  stamped markers to registry-built hast. Returns `renderMarkdown` plus the remark/
  *  rehype plugin arrays (so the Carta editor preview can reuse the exact same set). */
 export function createRenderer(registry, options = {}) {
     const remarkPlugins = [remarkDirective, [remarkDirectiveStamp, registry]];

package/dist/render/registry.d.ts

@@ -11,7 +11,7 @@ export interface ComponentDef {
     insertTemplate: string;
     /** Build the final hast element from the stamped directive element. */
     build: (node: Element, rise?: string) => Element;
-    /** Optional role→default-icon (e.g. `{ caution: 'warning' }`). */
+    /** Optional role-to-default-icon, e.g. `{ caution: 'warning' }`. */
     defaultIconByRole?: Record<string, string>;
 }
 export interface ComponentRegistry {
@@ -20,9 +20,11 @@ export interface ComponentRegistry {
     get(name: string): ComponentDef | undefined;
     defaultIcon(name: string, role?: string): string | undefined;
 }
-/** Build a registry from a site's component definitions. The single source the
- *  render pipeline (directive stamp + rehype dispatch) and the editor palette read. */
-export declare function defineRegistry(input: {
+/**
+ * Build a registry from a site's component definitions. The single source the render
+ * pipeline (directive stamp plus rehype dispatch) and the editor palette both read.
+ */
+export declare function defineRegistry({ components }: {
     components: ComponentDef[];
 }): ComponentRegistry;
 //# sourceMappingURL=registry.d.ts.map

package/dist/render/registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/lib/render/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,6EAA6E;AAC7E,MAAM,WAAW,YAAY;IAC5B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sEAAsE;IACtE,cAAc,EAAE,MAAM,CAAC;IACvB,uEAAuE;IACvE,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IACjD,kEAAkE;IAClE,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C;AAED,MAAM,WAAW,iBAAiB;IACjC,IAAI,EAAE,YAAY,EAAE,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAAC;IAC5C,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC7D;AAED;uFACuF;AACvF,wBAAgB,cAAc,CAAC,KAAK,EAAE;IAAE,UAAU,EAAE,YAAY,EAAE,CAAA;CAAE,GAAG,iBAAiB,CAQvF"}
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/lib/render/registry.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,6EAA6E;AAC7E,MAAM,WAAW,YAAY;IAC3B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sEAAsE;IACtE,cAAc,EAAE,MAAM,CAAC;IACvB,uEAAuE;IACvE,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IACjD,oEAAoE;IACpE,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,YAAY,EAAE,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAAC;IAC5C,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC9D;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,EAAE,UAAU,EAAE,EAAE;IAAE,UAAU,EAAE,YAAY,EAAE,CAAA;CAAE,GAAG,iBAAiB,CAQhG"}

package/dist/render/registry.js

@@ -1,10 +1,12 @@
-/** Build a registry from a site's component definitions. The single source the
- *  render pipeline (directive stamp + rehype dispatch) and the editor palette read. */
-export function defineRegistry(input) {
-    const byName = new Map(input.components.map((c) => [c.name, c]));
+/**
+ * Build a registry from a site's component definitions. The single source the render
+ * pipeline (directive stamp plus rehype dispatch) and the editor palette both read.
+ */
+export function defineRegistry({ components }) {
+    const byName = new Map(components.map((c) => [c.name, c]));
     return {
-        defs: input.components,
-        names: input.components.map((c) => c.name),
+        defs: components,
+        names: components.map((c) => c.name),
         get: (name) => byName.get(name),
         defaultIcon: (name, role) => (role ? byName.get(name)?.defaultIconByRole?.[role] : undefined),
     };

package/dist/render/rehype-dispatch.d.ts

@@ -1,5 +1,5 @@
 import type { Root, Element, ElementContent } from 'hast';
-import type { ComponentRegistry } from './registry';
+import type { ComponentRegistry } from './registry.js';
 export declare function isElement(node: ElementContent | undefined): node is Element;
 export declare function strProp(node: Element, name: string): string | undefined;
 /** Wrap a pre-built glyph in an ec-icon span; secondary role adds the modifier. */

package/dist/render/rehype-dispatch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rehype-dispatch.d.ts","sourceRoot":"","sources":["../../src/lib/render/rehype-dispatch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAc,MAAM,MAAM,CAAC;AAEtE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,wBAAgB,SAAS,CAAC,IAAI,EAAE,cAAc,GAAG,SAAS,GAAG,IAAI,IAAI,OAAO,CAE3E;AAKD,wBAAgB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAGvE;AAED,mFAAmF;AACnF,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAGjE;AAED,kFAAkF;AAClF,MAAM,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;AAMhE,wBAAgB,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,cAAc,EAAE,CAAA;CAAE,CAYvG;AAED;0CAC0C;AAC1C,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,OAAO,CAItG;AAED;kFACkF;AAClF,wBAAgB,aAAa,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,OAAO,GAAG,SAAS,CAS7E;AAmBD;;;mFAGmF;AACnF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,IACjF,MAAM,IAAI,UAUlB"}
+{"version":3,"file":"rehype-dispatch.d.ts","sourceRoot":"","sources":["../../src/lib/render/rehype-dispatch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,cAAc,EAAc,MAAM,MAAM,CAAC;AAEtE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAEvD,wBAAgB,SAAS,CAAC,IAAI,EAAE,cAAc,GAAG,SAAS,GAAG,IAAI,IAAI,OAAO,CAE3E;AAKD,wBAAgB,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAGvE;AAED,mFAAmF;AACnF,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAGjE;AAED,kFAAkF;AAClF,MAAM,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;AAMhE,wBAAgB,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,cAAc,EAAE,CAAA;CAAE,CAYvG;AAED;0CAC0C;AAC1C,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,OAAO,CAItG;AAED;kFACkF;AAClF,wBAAgB,aAAa,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,OAAO,GAAG,SAAS,CAS7E;AAmBD;;;mFAGmF;AACnF,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,IAChF,MAAM,IAAI,UAUnB"}

package/dist/render/remark-directives.d.ts

@@ -1,4 +1,4 @@
 import type { Root } from 'mdast';
-import type { ComponentRegistry } from './registry';
+import type { ComponentRegistry } from './registry.js';
 export declare function remarkDirectiveStamp(registry: ComponentRegistry): (tree: Root) => void;
 //# sourceMappingURL=remark-directives.d.ts.map

package/dist/render/remark-directives.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"remark-directives.d.ts","sourceRoot":"","sources":["../../src/lib/render/remark-directives.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAA8B,IAAI,EAAQ,MAAM,OAAO,CAAC;AAGpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAmCpD,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,iBAAiB,IAEvD,MAAM,IAAI,UA8BlB"}
+{"version":3,"file":"remark-directives.d.ts","sourceRoot":"","sources":["../../src/lib/render/remark-directives.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAA8B,IAAI,EAAQ,MAAM,OAAO,CAAC;AAGpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAmCvD,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,iBAAiB,IAEtD,MAAM,IAAI,UA8BnB"}

package/dist/render/sanitize.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Sanitize rendered preview HTML before it reaches `{@html}`. Strips scripts, inline event
+ * handlers, and dangerous URL schemes (`javascript:`, `data:`) while keeping ordinary formatting.
+ * Also forces `rel="noopener noreferrer"` on any anchor with `target="_blank"` to prevent
+ * reverse-tabnabbing. Browser-only; resolves the same string DOMPurify would return.
+ */
+export declare function sanitizePreviewHtml(html: string): Promise<string>;
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/render/sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/lib/render/sanitize.ts"],"names":[],"mappings":"AAOA;;;;;GAKG;AACH,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAavE"}

package/dist/render/sanitize.js

@@ -0,0 +1,26 @@
+// The live preview's sanitize floor. Carta runs with `sanitizer: false` behind the MarkdownEditor
+// seam, so the admin preview pane is the one barrier between editor-authored markdown and the DOM.
+// DOMPurify needs a DOM, and the preview renders only in the browser after mount, so DOMPurify
+// loads through a dynamic import: the module never evaluates a DOM library on the Worker, and a
+// server import of this file pulls in nothing.
+let purify = null;
+/**
+ * Sanitize rendered preview HTML before it reaches `{@html}`. Strips scripts, inline event
+ * handlers, and dangerous URL schemes (`javascript:`, `data:`) while keeping ordinary formatting.
+ * Also forces `rel="noopener noreferrer"` on any anchor with `target="_blank"` to prevent
+ * reverse-tabnabbing. Browser-only; resolves the same string DOMPurify would return.
+ */
+export async function sanitizePreviewHtml(html) {
+    if (!purify) {
+        const mod = await import('dompurify');
+        purify = mod.default;
+        purify.addHook('afterSanitizeAttributes', (node) => {
+            if (node.tagName === 'A' && node.getAttribute('target') === '_blank') {
+                node.setAttribute('rel', 'noopener noreferrer');
+            }
+        });
+    }
+    // ADD_ATTR: ['target'] allows target="_blank" through so the afterSanitizeAttributes hook
+    // can enforce rel="noopener noreferrer" on those anchors before they reach the DOM.
+    return purify.sanitize(html, { ADD_ATTR: ['target'] });
+}

package/dist/sveltekit/auth-routes.d.ts

@@ -0,0 +1,23 @@
+import { type AuthBranding, type SendMagicLink } from '../email.js';
+import type { RequestContext } from './types.js';
+export interface AuthRoutesConfig {
+    branding: AuthBranding;
+    send?: SendMagicLink;
+}
+export declare function createAuthRoutes(config: AuthRoutesConfig): {
+    loginLoad: (event: RequestContext) => {
+        siteName: string;
+        error: string | null;
+    };
+    requestAction: (event: RequestContext) => Promise<{
+        sent: true;
+    }>;
+    confirmLoad: (event: RequestContext) => {
+        token: string;
+        siteName: string;
+        error: string | null;
+    };
+    confirmAction: (event: RequestContext) => Promise<never>;
+    logoutAction: (event: RequestContext) => Promise<never>;
+};
+//# sourceMappingURL=auth-routes.d.ts.map

package/dist/sveltekit/auth-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/auth-routes.ts"],"names":[],"mappings":"AAcA,OAAO,EAAyC,KAAK,YAAY,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAC3G,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,YAAY,CAAC;IACvB,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB;uBA2B7B,cAAc,KAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAnBjD,cAAc,KAAG,OAAO,CAAC;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;yBA4BnE,cAAc,KACpB;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE;2BAcxB,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;0BAwBhC,cAAc,KAAG,OAAO,CAAC,KAAK,CAAC;EASnE"}

package/dist/sveltekit/auth-routes.js

@@ -0,0 +1,85 @@
+// The SvelteKit handlers for the magic-link flow, consumed by a site's thin route shims.
+// The factory takes per-site branding and an injected send, so tests run the real handlers
+// against a sink. The confirm-load, confirm, and logout handlers arrive in Task 6.
+import { redirect } from '@sveltejs/kit';
+import { requireOrigin, requireDb } from '../env.js';
+import { generateToken, generateSessionId, hashToken, TOKEN_TTL_MS, SESSION_TTL_MS, COOKIE_NAME, } from '../auth/crypto.js';
+import { findEditor, issueToken, consumeToken, createSession, deleteSession } from '../auth/store.js';
+import { buildMagicLinkMessage, cloudflareSend } from '../email.js';
+export function createAuthRoutes(config) {
+    const send = config.send ?? cloudflareSend;
+    /**
+     * POST /admin/auth/request. Looks the email up in the allowlist; on a match, issues a token
+     * and emails the confirmation link. The response is identical whether or not the email is
+     * allow-listed, so the endpoint never leaks membership.
+     */
+    async function requestAction(event) {
+        const env = event.platform?.env ?? {};
+        const origin = requireOrigin(env);
+        const db = requireDb(env);
+        const form = await event.request.formData();
+        const email = String(form.get('email') ?? '').trim().toLowerCase();
+        const editor = email ? await findEditor(db, email) : null;
+        if (editor) {
+            const token = generateToken();
+            const now = Date.now();
+            await issueToken(db, email, await hashToken(token), now + TOKEN_TTL_MS, now);
+            const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
+            await send(env, buildMagicLinkMessage({ to: email, branding: config.branding, link }));
+        }
+        return { sent: true };
+    }
+    /** GET /admin/login. Public. Carries the site name and an optional `?error` for the form. */
+    function loginLoad(event) {
+        return { siteName: config.branding.siteName, error: event.url.searchParams.get('error') };
+    }
+    /**
+     * GET /admin/auth/confirm. Renders the confirm page and consumes nothing; only the POST
+     * verifies. Sets Referrer-Policy: no-referrer so the token does not leak to a referrer.
+     */
+    function confirmLoad(event) {
+        event.setHeaders({ 'Referrer-Policy': 'no-referrer' });
+        return {
+            token: event.url.searchParams.get('token') ?? '',
+            siteName: config.branding.siteName,
+            error: event.url.searchParams.get('error'),
+        };
+    }
+    /**
+     * POST /admin/auth/confirm. Hashes the submitted token and consumes it atomically. A valid
+     * token yields the email; the handler creates a session, sets the cookie, and redirects to
+     * /admin. An invalid, replayed, or expired token redirects to the login page.
+     */
+    async function confirmAction(event) {
+        const db = requireDb(event.platform?.env ?? {});
+        const form = await event.request.formData();
+        const token = String(form.get('token') ?? '');
+        if (!token)
+            throw redirect(303, '/admin/login?error=expired');
+        const now = Date.now();
+        const email = await consumeToken(db, await hashToken(token), now);
+        if (!email)
+            throw redirect(303, '/admin/login?error=expired');
+        const id = generateSessionId();
+        await createSession(db, id, email, now + SESSION_TTL_MS, now);
+        event.cookies.set(COOKIE_NAME, id, {
+            path: '/',
+            httpOnly: true,
+            // Secure on HTTPS (every real deploy); off on local http dev so the cookie sticks.
+            secure: event.url.protocol === 'https:',
+            sameSite: 'lax',
+            maxAge: Math.floor(SESSION_TTL_MS / 1000),
+        });
+        throw redirect(303, '/admin');
+    }
+    /** POST /admin/auth/logout. Deletes the session row and clears the cookie. */
+    async function logoutAction(event) {
+        const db = requireDb(event.platform?.env ?? {});
+        const id = event.cookies.get(COOKIE_NAME);
+        if (id)
+            await deleteSession(db, id);
+        event.cookies.delete(COOKIE_NAME, { path: '/' });
+        throw redirect(303, '/admin/login');
+    }
+    return { loginLoad, requestAction, confirmLoad, confirmAction, logoutAction };
+}

package/dist/sveltekit/content-routes.d.ts

@@ -0,0 +1,80 @@
+import { type GithubKeyEnv } from '../github/credentials.js';
+import type { CairnRuntime, FrontmatterField } from '../content/types.js';
+import type { Editor, Role } from '../auth/types.js';
+/** A sidebar concept entry: just enough to render the nav without shipping validators to the client. */
+export interface NavConcept {
+    id: string;
+    label: string;
+}
+/** The admin layout's data: site identity, the signed-in user, the nav, and the active path. */
+export interface LayoutData {
+    siteName: string;
+    user: {
+        displayName: string;
+        role: Role;
+    };
+    concepts: NavConcept[];
+    pathname: string;
+    canManageEditors: boolean;
+    /** The nav menu's label when the site configures one; gates the Navigation nav entry. Null otherwise. */
+    navLabel: string | null;
+}
+/** One row in a concept's list view. */
+export interface EntrySummary {
+    id: string;
+    title: string;
+    date: string | null;
+    draft: boolean;
+}
+/** The concept list view's data. */
+export interface ListData {
+    conceptId: string;
+    label: string;
+    /** Posts carry a date in the new-entry form; pages do not (concept routing, spec §7.2). */
+    dated: boolean;
+    entries: EntrySummary[];
+    /** A listing failure degrades to an inline message rather than a thrown 500. */
+    error: string | null;
+    /** A create-form bounce error read from `?error`. */
+    formError: string | null;
+}
+/** The editor's data. `frontmatter` holds form-ready values (dates already `YYYY-MM-DD`). */
+export interface EditData {
+    conceptId: string;
+    id: string;
+    label: string;
+    fields: FrontmatterField[];
+    frontmatter: Record<string, unknown>;
+    body: string;
+    title: string;
+    isNew: boolean;
+    saved: boolean;
+    error: string | null;
+}
+/** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
+export interface ContentEvent {
+    url: URL;
+    params: Record<string, string>;
+    request: Request;
+    locals: {
+        editor?: Editor | null;
+    };
+    platform?: {
+        env?: GithubKeyEnv;
+    };
+}
+/** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
+export interface ContentRoutesDeps {
+    /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer. */
+    mintToken?: (env: GithubKeyEnv) => Promise<string>;
+}
+export declare function createContentRoutes(runtime: CairnRuntime, deps?: ContentRoutesDeps): {
+    layoutLoad: (event: ContentEvent) => LayoutData;
+    indexRedirect: () => never;
+    listLoad: (event: ContentEvent) => Promise<ListData>;
+    createAction: (event: ContentEvent) => Promise<never>;
+    editLoad: (event: ContentEvent) => Promise<EditData>;
+    saveAction: (event: ContentEvent) => Promise<never>;
+    mintToken: (env: GithubKeyEnv) => Promise<string>;
+};
+//# sourceMappingURL=content-routes.d.ts.map

package/dist/sveltekit/content-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-routes.d.ts","sourceRoot":"","sources":["../../src/lib/sveltekit/content-routes.ts"],"names":[],"mappings":"AAQA,OAAO,EAAkB,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAI7E,OAAO,KAAK,EAAE,YAAY,EAAqB,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC7F,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAErD,wGAAwG;AACxG,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;CACf;AAED,gGAAgG;AAChG,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;IAC1C,QAAQ,EAAE,UAAU,EAAE,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,yGAAyG;IACzG,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,wCAAwC;AACxC,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,oCAAoC;AACpC,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,2FAA2F;IAC3F,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,gFAAgF;IAChF,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,qDAAqD;IACrD,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,6FAA6F;AAC7F,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,gGAAgG;AAChG,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,GAAG,CAAC;IACT,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACnC,QAAQ,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,YAAY,CAAA;KAAE,CAAC;CACnC;AAED,sFAAsF;AACtF,MAAM,WAAW,iBAAiB;IAChC,6FAA6F;IAC7F,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,YAAY,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACpD;AAgBD,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,YAAY,EAAE,IAAI,GAAE,iBAAsB;wBAK1D,YAAY,KAAG,UAAU;yBAa1B,KAAK;sBAqBA,YAAY,KAAG,OAAO,CAAC,QAAQ,CAAC;0BAqB5B,YAAY,KAAG,OAAO,CAAC,KAAK,CAAC;sBA+BjC,YAAY,KAAG,OAAO,CAAC,QAAQ,CAAC;wBAgC9B,YAAY,KAAG,OAAO,CAAC,KAAK,CAAC;qBA5I5C,YAAY,KAAK,OAAO,CAAC,MAAM,CAAC;EAqLnD"}