@glw907/cairn-cms 0.5.1 → 0.6.0-rc.1

package/dist/auth/crypto.d.ts

@@ -0,0 +1,13 @@
+/** The session cookie name. */
+export declare const COOKIE_NAME = "cairn_session";
+/** Magic-link tokens live 10 minutes. */
+export declare const TOKEN_TTL_MS: number;
+/** Sessions live 30 days. */
+export declare const SESSION_TTL_MS: number;
+/** A fresh 256-bit magic-link token, url-safe. */
+export declare function generateToken(): string;
+/** A fresh 256-bit session id, url-safe. */
+export declare function generateSessionId(): string;
+/** The lowercase hex SHA-256 of a token, for storage and lookup. */
+export declare function hashToken(token: string): Promise<string>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/auth/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/lib/auth/crypto.ts"],"names":[],"mappings":"AAIA,+BAA+B;AAC/B,eAAO,MAAM,WAAW,kBAAkB,CAAC;AAE3C,yCAAyC;AACzC,eAAO,MAAM,YAAY,QAAiB,CAAC;AAE3C,6BAA6B;AAC7B,eAAO,MAAM,cAAc,QAA2B,CAAC;AAUvD,kDAAkD;AAClD,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,4CAA4C;AAC5C,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,oEAAoE;AACpE,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI9D"}

package/dist/auth/crypto.js

@@ -0,0 +1,31 @@
+// Token and session-id generation plus SHA-256 token hashing, on Web Crypto so the
+// code runs unchanged in workerd. The store keeps only the hash of a token, never the
+// token itself (spec 7.1).
+/** The session cookie name. */
+export const COOKIE_NAME = 'cairn_session';
+/** Magic-link tokens live 10 minutes. */
+export const TOKEN_TTL_MS = 10 * 60 * 1000;
+/** Sessions live 30 days. */
+export const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000;
+function randomBase64Url(byteLength = 32) {
+    const bytes = new Uint8Array(byteLength);
+    crypto.getRandomValues(bytes);
+    let binary = '';
+    for (const b of bytes)
+        binary += String.fromCharCode(b);
+    return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replaceAll('=', '');
+}
+/** A fresh 256-bit magic-link token, url-safe. */
+export function generateToken() {
+    return randomBase64Url(32);
+}
+/** A fresh 256-bit session id, url-safe. */
+export function generateSessionId() {
+    return randomBase64Url(32);
+}
+/** The lowercase hex SHA-256 of a token, for storage and lookup. */
+export async function hashToken(token) {
+    const data = new TextEncoder().encode(token);
+    const digest = await crypto.subtle.digest('SHA-256', data);
+    return [...new Uint8Array(digest)].map((b) => b.toString(16).padStart(2, '0')).join('');
+}

package/dist/auth/store.d.ts

@@ -0,0 +1,41 @@
+import type { D1Database } from '@cloudflare/workers-types';
+import type { Editor, Role } from './types.js';
+/** Look an email up in the allowlist. */
+export declare function findEditor(db: D1Database, email: string): Promise<Editor | null>;
+/** Replace any prior token for this email with a fresh one, atomically. */
+export declare function issueToken(db: D1Database, email: string, tokenHash: string, expiresAt: number, now: number): Promise<void>;
+/**
+ * Consume a token in one atomic statement. A returned email means the token was present and
+ * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.
+ */
+export declare function consumeToken(db: D1Database, tokenHash: string, now: number): Promise<string | null>;
+/** Create a session row. */
+export declare function createSession(db: D1Database, id: string, email: string, expiresAt: number, now: number): Promise<void>;
+/**
+ * Resolve a session to its editor, joining `editor` so the role is read live. An expired
+ * session or a removed editor resolves to null, which revokes access on the next request.
+ */
+export declare function resolveSession(db: D1Database, id: string, now: number): Promise<Editor | null>;
+/** Delete a session (logout). */
+export declare function deleteSession(db: D1Database, id: string): Promise<void>;
+/** The full allowlist, sorted by email. */
+export declare function listEditors(db: D1Database): Promise<Editor[]>;
+/** Add an editor to the allowlist. */
+export declare function insertEditor(db: D1Database, email: string, displayName: string, role: Role, now: number): Promise<void>;
+/** Remove an editor and cut their live access (sessions and any pending token go too). */
+export declare function deleteEditor(db: D1Database, email: string): Promise<void>;
+/**
+ * Remove an owner only if another owner remains. The count is part of the DELETE, so two
+ * concurrent removals cannot both pass a separate check and strand the allowlist at zero
+ * owners. Returns false (and writes nothing) when this is the last owner. On success the
+ * editor's sessions and pending token go too.
+ */
+export declare function removeOwnerIfNotLast(db: D1Database, email: string): Promise<boolean>;
+/** Change an editor's role. The guard reads the new role on the next request. */
+export declare function setEditorRole(db: D1Database, email: string, role: Role): Promise<void>;
+/**
+ * Demote an owner to editor only if another owner remains, in one atomic statement (see
+ * `removeOwnerIfNotLast`). Returns false (and writes nothing) when this is the last owner.
+ */
+export declare function demoteOwnerIfNotLast(db: D1Database, email: string): Promise<boolean>;
+//# sourceMappingURL=store.d.ts.map

package/dist/auth/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/lib/auth/store.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAQ/C,yCAAyC;AACzC,wBAAsB,UAAU,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMtF;AAED,2EAA2E;AAC3E,wBAAsB,UAAU,CAC9B,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMzG;AAED,4BAA4B;AAC5B,wBAAsB,aAAa,CACjC,EAAE,EAAE,UAAU,EACd,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAKf;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAUpG;AAED,iCAAiC;AACjC,wBAAsB,aAAa,CAAC,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE7E;AAED,2CAA2C;AAC3C,wBAAsB,WAAW,CAAC,EAAE,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAKnE;AAED,sCAAsC;AACtC,wBAAsB,YAAY,CAChC,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,EACV,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,0FAA0F;AAC1F,wBAAsB,YAAY,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAM/E;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAe1F;AAED,iFAAiF;AACjF,wBAAsB,aAAa,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAE5F;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAU1F"}

package/dist/auth/store.js

@@ -0,0 +1,115 @@
+function toEditor(row) {
+    return { email: row.email, displayName: row.display_name, role: row.role };
+}
+/** Look an email up in the allowlist. */
+export async function findEditor(db, email) {
+    const row = await db
+        .prepare('SELECT email, display_name, role FROM editor WHERE email = ?')
+        .bind(email)
+        .first();
+    return row ? toEditor(row) : null;
+}
+/** Replace any prior token for this email with a fresh one, atomically. */
+export async function issueToken(db, email, tokenHash, expiresAt, now) {
+    await db.batch([
+        db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+        db
+            .prepare('INSERT INTO magic_token (token_hash, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
+            .bind(tokenHash, email, expiresAt, now),
+    ]);
+}
+/**
+ * Consume a token in one atomic statement. A returned email means the token was present and
+ * unexpired and is now gone, so the link is single-use by construction on strongly-consistent D1.
+ */
+export async function consumeToken(db, tokenHash, now) {
+    const row = await db
+        .prepare('DELETE FROM magic_token WHERE token_hash = ? AND expires_at > ? RETURNING email')
+        .bind(tokenHash, now)
+        .first();
+    return row?.email ?? null;
+}
+/** Create a session row. */
+export async function createSession(db, id, email, expiresAt, now) {
+    await db
+        .prepare('INSERT INTO session (id, email, expires_at, created_at) VALUES (?, ?, ?, ?)')
+        .bind(id, email, expiresAt, now)
+        .run();
+}
+/**
+ * Resolve a session to its editor, joining `editor` so the role is read live. An expired
+ * session or a removed editor resolves to null, which revokes access on the next request.
+ */
+export async function resolveSession(db, id, now) {
+    const row = await db
+        .prepare(`SELECT e.email AS email, e.display_name AS display_name, e.role AS role
+       FROM session s JOIN editor e ON e.email = s.email
+       WHERE s.id = ? AND s.expires_at > ?`)
+        .bind(id, now)
+        .first();
+    return row ? toEditor(row) : null;
+}
+/** Delete a session (logout). */
+export async function deleteSession(db, id) {
+    await db.prepare('DELETE FROM session WHERE id = ?').bind(id).run();
+}
+/** The full allowlist, sorted by email. */
+export async function listEditors(db) {
+    const { results } = await db
+        .prepare('SELECT email, display_name, role FROM editor ORDER BY email')
+        .all();
+    return results.map(toEditor);
+}
+/** Add an editor to the allowlist. */
+export async function insertEditor(db, email, displayName, role, now) {
+    await db
+        .prepare('INSERT INTO editor (email, display_name, role, created_at) VALUES (?, ?, ?, ?)')
+        .bind(email, displayName, role, now)
+        .run();
+}
+/** Remove an editor and cut their live access (sessions and any pending token go too). */
+export async function deleteEditor(db, email) {
+    await db.batch([
+        db.prepare('DELETE FROM session WHERE email = ?').bind(email),
+        db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+        db.prepare('DELETE FROM editor WHERE email = ?').bind(email),
+    ]);
+}
+/**
+ * Remove an owner only if another owner remains. The count is part of the DELETE, so two
+ * concurrent removals cannot both pass a separate check and strand the allowlist at zero
+ * owners. Returns false (and writes nothing) when this is the last owner. On success the
+ * editor's sessions and pending token go too.
+ */
+export async function removeOwnerIfNotLast(db, email) {
+    const res = await db
+        .prepare(`DELETE FROM editor
+       WHERE email = ? AND role = 'owner'
+         AND (SELECT COUNT(*) FROM editor WHERE role = 'owner') > 1`)
+        .bind(email)
+        .run();
+    if (res.meta.changes !== 1)
+        return false;
+    await db.batch([
+        db.prepare('DELETE FROM session WHERE email = ?').bind(email),
+        db.prepare('DELETE FROM magic_token WHERE email = ?').bind(email),
+    ]);
+    return true;
+}
+/** Change an editor's role. The guard reads the new role on the next request. */
+export async function setEditorRole(db, email, role) {
+    await db.prepare('UPDATE editor SET role = ? WHERE email = ?').bind(role, email).run();
+}
+/**
+ * Demote an owner to editor only if another owner remains, in one atomic statement (see
+ * `removeOwnerIfNotLast`). Returns false (and writes nothing) when this is the last owner.
+ */
+export async function demoteOwnerIfNotLast(db, email) {
+    const res = await db
+        .prepare(`UPDATE editor SET role = 'editor'
+       WHERE email = ? AND role = 'owner'
+         AND (SELECT COUNT(*) FROM editor WHERE role = 'owner') > 1`)
+        .bind(email)
+        .run();
+    return res.meta.changes === 1;
+}

package/dist/auth/types.d.ts

@@ -0,0 +1,25 @@
+import type { D1Database } from '@cloudflare/workers-types';
+export type Role = 'owner' | 'editor';
+/** The session shape the whole admin reads: guard, loads, content fns, manage-editors. */
+export interface Editor {
+    email: string;
+    displayName: string;
+    role: Role;
+}
+/** Worker bindings and vars the auth layer reads; a structural subset of `Platform.env`. */
+export interface AuthEnv {
+    AUTH_DB?: D1Database;
+    /** Canonical origin for confirmation links, never read from a request header (spec 7.1, risk H3). */
+    PUBLIC_ORIGIN?: string;
+    /** Cloudflare Email Sending binding. */
+    EMAIL?: {
+        send(message: {
+            to: string;
+            from: string;
+            subject: string;
+            html: string;
+            text: string;
+        }): Promise<void>;
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/lib/auth/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEtC,0FAA0F;AAC1F,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,IAAI,CAAC;CACZ;AAED,4FAA4F;AAC5F,MAAM,WAAW,OAAO;IACtB,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,qGAAqG;IACrG,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wCAAwC;IACxC,KAAK,CAAC,EAAE;QACN,IAAI,CAAC,OAAO,EAAE;YACZ,EAAE,EAAE,MAAM,CAAC;YACX,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,MAAM,CAAC;YAChB,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,EAAE,MAAM,CAAC;SACd,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACnB,CAAC;CACH"}

package/dist/auth/types.js

@@ -0,0 +1 @@
+export {};

package/dist/components/AdminLayout.svelte

@@ -1,186 +1,80 @@
+<!--
+@component
+The admin shell: a DaisyUI drawer-and-navbar that wraps every authed admin page. The nav is
+data-driven from the enabled concepts and role-gated (owners see the manage-editors entry). The
+root sets `data-theme="cairn-admin"` and imports the self-contained Warm Stone theme, so the
+admin looks identical on every host regardless of the site's own theme.
+-->
 <script lang="ts">
-  // Neutral admin chrome shared across sites. Signed in: DaisyUI drawer+navbar shell (sidebar
-  // pinned on desktop, slide-over on mobile). Signed out: minimal centered shell. The
-  // `cairn-admin` class on both roots scopes the "Warm Stone" theme; see the style block.
   import type { Snippet } from 'svelte';
-  import type { CairnUser } from '../auth';
+  import type { LayoutData } from '../sveltekit/content-routes.js';
+  import './cairn-admin.css';
 
-  let {
-    data,
-    children,
-  }: {
-    data: {
-      siteName: string;
-      user: CairnUser | null;
-      pathname: string;
-      collections: { type: string; label: string }[];
-      navMenus: { name: string; label: string }[];
-      canManageNav: boolean;
-    };
+  interface Props {
+    /** The layout load's data: site name, user, nav concepts, active path, owner capability. */
+    data: LayoutData;
+    /** The page body. */
     children: Snippet;
-  } = $props();
+  }
+
+  let { data, children }: Props = $props();
 
   interface NavItem {
     href: string;
     label: string;
-    icon: Snippet;
-    active: boolean;
-    /** Owner-only surface; hidden from regular editors. */
     owner?: boolean;
   }
 
-  const nav = $derived<NavItem[]>([
-    ...data.collections.map((collection) => ({
-      href: `/admin/${collection.type}`,
-      label: collection.label,
-      icon: contentIcon,
-      active:
-        data.pathname === `/admin/${collection.type}` ||
-        data.pathname.startsWith(`/admin/edit/${collection.type}/`),
-    })),
-    ...(data.canManageNav && data.navMenus.length
-      ? [{ href: '/admin/nav', label: 'Navigation', icon: navIcon, active: data.pathname.startsWith('/admin/nav') }]
-      : []),
-    {
-      href: '/admin/admins',
-      label: 'Editors',
-      icon: editorsIcon,
-      owner: true,
-      active: data.pathname.startsWith('/admin/admins'),
-    },
+  const navItems: NavItem[] = $derived([
+    ...data.concepts.map((c) => ({ href: `/admin/${c.id}`, label: c.label })),
+    ...(data.navLabel ? [{ href: '/admin/nav', label: data.navLabel }] : []),
+    { href: '/admin/editors', label: 'Editors', owner: true },
   ]);
-  const visibleNav = $derived(nav.filter((item) => !item.owner || data.user?.role === 'owner'));
 
-  // Close the slide-over after a nav tap on mobile.
-  function closeDrawer(): void {
-    const toggle = document.getElementById('admin-drawer');
-    if (toggle instanceof HTMLInputElement) toggle.checked = false;
+  const visibleNav = $derived(navItems.filter((item) => !item.owner || data.canManageEditors));
+
+  function isActive(href: string): boolean {
+    return data.pathname === href || data.pathname.startsWith(`${href}/`);
   }
 </script>
 
-{#snippet contentIcon()}
-  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-      d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
-  </svg>
-{/snippet}
-
-{#snippet editorsIcon()}
-  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-      d="M17 20h5v-2a4 4 0 00-3-3.87M9 20H4v-2a4 4 0 013-3.87m6-1.13a4 4 0 10-4-4 4 4 0 004 4zm6 0a4 4 0 10-3.5-2.1" />
-  </svg>
-{/snippet}
-
-{#snippet navIcon()}
-  <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-      d="M4 6h16M4 12h16M4 18h16" />
-  </svg>
-{/snippet}
-
-<svelte:head>
-  <meta name="robots" content="noindex, nofollow" />
-</svelte:head>
-
-{#if data.user}
-  <div class="cairn-admin drawer min-h-screen bg-base-200 lg:drawer-open" data-pagefind-ignore>
-    <input id="admin-drawer" type="checkbox" class="drawer-toggle" />
-
-    <div class="drawer-content">
-      <!-- Mobile top bar; the desktop sidebar replaces this at lg. -->
-      <div class="navbar bg-base-100 lg:hidden">
-        <div class="flex-1">
-          <span class="px-2 text-xl font-bold">{data.siteName} CMS</span>
-        </div>
-        <div class="flex-none">
-          <label for="admin-drawer" class="btn btn-square btn-ghost" aria-label="Open menu">
-            <svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h7" />
-            </svg>
-          </label>
-        </div>
+<div data-theme="cairn-admin" class="drawer lg:drawer-open min-h-screen bg-base-200 text-base-content">
+  <input id="cairn-drawer" type="checkbox" class="drawer-toggle" />
+
+  <div class="drawer-content flex flex-col">
+    <div class="navbar bg-base-100 border-b border-base-300">
+      <div class="flex-none lg:hidden">
+        <label for="cairn-drawer" aria-label="Open menu" class="btn btn-square btn-ghost">
+          <svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h16" />
+          </svg>
+        </label>
       </div>
-
-      <main class="container px-4 py-6 lg:px-8">
-        {@render children()}
-      </main>
+      <div class="flex-1 px-2 font-semibold">{data.siteName}</div>
+      <div class="flex-none px-2 text-sm text-[var(--color-muted)]">{data.user.displayName}</div>
     </div>
 
-    <div class="drawer-side z-10">
-      <label for="admin-drawer" class="drawer-overlay" aria-label="Close menu"></label>
-      <div class="flex min-h-full w-80 flex-col bg-base-100 lg:border-r lg:border-base-300">
-        <ul class="menu menu-lg grow p-4">
-          <li class="menu-title flex flex-row items-center text-xl font-bold text-base-content">
-            <span class="grow">{data.siteName} CMS</span>
-            <label for="admin-drawer" class="ml-3 cursor-pointer lg:hidden" aria-label="Close menu">✕</label>
-          </li>
-          {#each visibleNav as item (item.href)}
-            <li>
-              <a href={item.href} class={item.active ? 'active' : ''} onclick={closeDrawer}>
-                {@render item.icon()}
-                {item.label}
-              </a>
-            </li>
-          {/each}
-        </ul>
-
-        <div class="border-t border-base-300 p-4">
-          <p class="text-sm font-medium">{data.user.name}</p>
-          <p class="text-xs opacity-60">{data.user.email}</p>
-          <form method="POST" action="/admin/auth/logout" class="mt-3">
-            <button type="submit" class="btn btn-ghost btn-sm btn-block justify-start">Sign out</button>
-          </form>
-        </div>
-      </div>
-    </div>
-  </div>
-{:else}
-  <!-- Signed out (login page): no nav, just a centered surface. -->
-  <div class="cairn-admin min-h-screen bg-base-200" data-pagefind-ignore>
-    <div class="mx-auto max-w-3xl px-4 py-8">
+    <main class="flex-1 p-4 lg:p-8">
       {@render children()}
-    </div>
+    </main>
   </div>
-{/if}
-
-<style>
-  /* Warm Stone: a neutral, fully self-contained admin theme (R6), light-only. Overriding the
-     DaisyUI v5 tokens + font on this root re-skins the whole admin subtree by inheritance, so
-     the tool looks identical on every host regardless of the site's own theme. Values are OKLCH
-     (no hex/rgb, per the design-system rule). Warm-gray neutrals (hue ~75), violet accent. */
-  .cairn-admin {
-    color-scheme: light;
-    font-family: system-ui, -apple-system, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif;
-
-    --color-base-100: oklch(98.5% 0.004 75);
-    --color-base-200: oklch(96% 0.005 75);
-    --color-base-300: oklch(92% 0.008 75);
-    --color-base-content: oklch(28% 0.012 75);
 
-    --color-primary: oklch(52% 0.20 293);
-    --color-primary-content: oklch(98% 0.012 293);
-    --color-secondary: oklch(45% 0.02 75);
-    --color-secondary-content: oklch(98% 0.004 75);
-    --color-accent: oklch(58% 0.16 300);
-    --color-accent-content: oklch(98% 0.012 300);
-    --color-neutral: oklch(32% 0.012 75);
-    --color-neutral-content: oklch(96% 0.004 75);
-
-    --color-info: oklch(60% 0.12 240);
-    --color-info-content: oklch(98% 0.01 240);
-    --color-success: oklch(58% 0.12 150);
-    --color-success-content: oklch(98% 0.01 150);
-    --color-warning: oklch(75% 0.15 70);
-    --color-warning-content: oklch(25% 0.02 70);
-    --color-error: oklch(58% 0.20 25);
-    --color-error-content: oklch(98% 0.01 25);
-
-    --radius-selector: 0.5rem;
-    --radius-field: 0.5rem;
-    --radius-box: 0.75rem;
-    --size-selector: 0.25rem;
-    --size-field: 0.25rem;
-    --border: 1px;
-  }
-</style>
+  <div class="drawer-side">
+    <label for="cairn-drawer" aria-label="Close menu" class="drawer-overlay"></label>
+    <nav class="bg-base-100 min-h-full w-64 border-r border-base-300 p-4" aria-label="Site content">
+      <div class="menu-title mb-2 px-2 text-xs uppercase tracking-wide text-[var(--color-muted)]">Content</div>
+      <ul class="menu menu-lg w-full">
+        {#each visibleNav as item (item.href)}
+          <li>
+            <a href={item.href} class:menu-active={isActive(item.href)} aria-current={isActive(item.href) ? 'page' : undefined}>
+              {item.label}
+            </a>
+          </li>
+        {/each}
+      </ul>
+      <form method="POST" action="/admin/auth/logout" class="mt-6 px-2">
+        <button type="submit" class="btn btn-ghost btn-sm btn-block">Sign out</button>
+      </form>
+    </nav>
+  </div>
+</div>

package/dist/components/AdminLayout.svelte.d.ts

@@ -1,23 +1,19 @@
 import type { Snippet } from 'svelte';
-import type { CairnUser } from '../auth';
-type $$ComponentProps = {
-    data: {
-        siteName: string;
-        user: CairnUser | null;
-        pathname: string;
-        collections: {
-            type: string;
-            label: string;
-        }[];
-        navMenus: {
-            name: string;
-            label: string;
-        }[];
-        canManageNav: boolean;
-    };
+import type { LayoutData } from '../sveltekit/content-routes.js';
+import './cairn-admin.css';
+interface Props {
+    /** The layout load's data: site name, user, nav concepts, active path, owner capability. */
+    data: LayoutData;
+    /** The page body. */
     children: Snippet;
-};
-declare const AdminLayout: import("svelte").Component<$$ComponentProps, {}, "">;
+}
+/**
+ * The admin shell: a DaisyUI drawer-and-navbar that wraps every authed admin page. The nav is
+ * data-driven from the enabled concepts and role-gated (owners see the manage-editors entry). The
+ * root sets `data-theme="cairn-admin"` and imports the self-contained Warm Stone theme, so the
+ * admin looks identical on every host regardless of the site's own theme.
+ */
+declare const AdminLayout: import("svelte").Component<Props, {}, "">;
 type AdminLayout = ReturnType<typeof AdminLayout>;
 export default AdminLayout;
 //# sourceMappingURL=AdminLayout.svelte.d.ts.map

package/dist/components/AdminLayout.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAWxC,KAAK,gBAAgB,GAAI;IACtB,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC;QACvB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;QAC/C,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;QAC5C,YAAY,EAAE,OAAO,CAAC;KACvB,CAAC;IACF,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC;AAkIJ,QAAA,MAAM,WAAW,sDAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}
+{"version":3,"file":"AdminLayout.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/AdminLayout.svelte.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AACjE,OAAO,mBAAmB,CAAC;AAGzB,UAAU,KAAK;IACb,4FAA4F;IAC5F,IAAI,EAAE,UAAU,CAAC;IACjB,qBAAqB;IACrB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAyEH;;;;;GAKG;AACH,QAAA,MAAM,WAAW,2CAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/components/ComponentPalette.svelte

@@ -1,31 +1,47 @@
+<!--
+@component
+The insert-component palette: a dropdown listing the site's registered directive components
+(seam 3). Picking one inserts its template at the cursor through the editor's insert callback.
+Renders nothing when the site configures no registry.
+-->
 <script lang="ts">
-  // The insert-component palette (R10). Reads the site's component registry (R10a) and inserts a
-  // scaffolded directive snippet at the cursor via the `insert` callback. DaisyUI dropdown so it
-  // matches the Warm Stone admin theme. Shown only when the site supplies a non-empty registry; a
-  // plain-markdown site (e.g. 907.life) passes no registry and this renders nothing.
-  import type { ComponentRegistry } from '../render';
+  import type { ComponentRegistry } from '../render/registry.js';
 
-  let { registry, insert }: { registry?: ComponentRegistry; insert: (template: string) => void } =
-    $props();
+  interface Props {
+    /** The site's component registry; the palette derives its catalog from it. */
+    registry?: ComponentRegistry;
+    /** Insert a template at the editor's cursor. */
+    insert: (template: string) => void;
+  }
+
+  let { registry, insert }: Props = $props();
 
   const defs = $derived(registry?.defs ?? []);
+  let open = $state(false);
 </script>
 
 {#if defs.length > 0}
-  <div class="dropdown">
-    <button type="button" tabindex="0" class="btn btn-sm btn-ghost">Insert ▾</button>
-    <ul
-      class="dropdown-content menu z-10 mt-1 w-72 rounded-box border border-base-300 bg-base-100 p-2 shadow"
-    >
+  <div
+    class="dropdown"
+    class:dropdown-open={open}
+    role="presentation"
+    onkeydown={(e) => { if (e.key === 'Escape') open = false; }}
+  >
+    <button
+      type="button"
+      class="btn btn-sm btn-ghost"
+      aria-haspopup="listbox"
+      aria-expanded={open}
+      onclick={() => (open = !open)}
+    >Insert</button>
+    <ul class="dropdown-content menu rounded-box border border-base-300 bg-base-100 z-10 w-56 shadow" role="listbox">
       {#each defs as def (def.name)}
-        <li>
-          <button
-            type="button"
-            class="flex flex-col items-start gap-0.5"
-            onclick={() => insert(def.insertTemplate)}
-          >
-            <span class="font-medium">{def.label}</span>
-            <span class="text-xs opacity-60">{def.description}</span>
+        <li role="option" aria-selected={false}>
+          <button type="button" onclick={() => { insert(def.insertTemplate); open = false; }}>
+            <span class="flex flex-col items-start">
+              <span class="font-medium">{def.label}</span>
+              <span class="text-xs text-[var(--color-muted)]">{def.description}</span>
+            </span>
           </button>
         </li>
       {/each}

package/dist/components/ComponentPalette.svelte.d.ts

@@ -1,9 +1,16 @@
-import type { ComponentRegistry } from '../render';
-type $$ComponentProps = {
+import type { ComponentRegistry } from '../render/registry.js';
+interface Props {
+    /** The site's component registry; the palette derives its catalog from it. */
     registry?: ComponentRegistry;
+    /** Insert a template at the editor's cursor. */
     insert: (template: string) => void;
-};
-declare const ComponentPalette: import("svelte").Component<$$ComponentProps, {}, "">;
+}
+/**
+ * The insert-component palette: a dropdown listing the site's registered directive components
+ * (seam 3). Picking one inserts its template at the cursor through the editor's insert callback.
+ * Renders nothing when the site configures no registry.
+ */
+declare const ComponentPalette: import("svelte").Component<Props, {}, "">;
 type ComponentPalette = ReturnType<typeof ComponentPalette>;
 export default ComponentPalette;
 //# sourceMappingURL=ComponentPalette.svelte.d.ts.map

package/dist/components/ComponentPalette.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ComponentPalette.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ComponentPalette.svelte.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAElD,KAAK,gBAAgB,GAAI;IAAE,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,CAAC;AAgC/F,QAAA,MAAM,gBAAgB,sDAAwC,CAAC;AAC/D,KAAK,gBAAgB,GAAG,UAAU,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC5D,eAAe,gBAAgB,CAAC"}
+{"version":3,"file":"ComponentPalette.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/ComponentPalette.svelte.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAG7D,UAAU,KAAK;IACb,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,gDAAgD;IAChD,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,CAAC;CACpC;AAgCH;;;;GAIG;AACH,QAAA,MAAM,gBAAgB,2CAAwC,CAAC;AAC/D,KAAK,gBAAgB,GAAG,UAAU,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC5D,eAAe,gBAAgB,CAAC"}