@glw907/cairn-cms 0.5.1 → 0.6.0-rc.1

package/dist/auth/config.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/auth/config.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAK9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AAU3D,2FAA2F;AAC3F,MAAM,WAAW,OAAO;IACtB,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yEAAyE;IACzE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4FAA4F;IAC5F,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAED,qFAAqF;AACrF,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,0FAA0F;AAC1F,KAAK,SAAS,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;AAEtD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAmD0S,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5Fxe,CAAC;;;;;;;;;yCASpE,CAAC;;;;;;;;;;;;;;;yCAUF,CAAA;yCAAoD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2BtC,CAAC;qCAEf,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgCJ,CAAF;qCAEE,CAAD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAUu4E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA1Bz1hB;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAkB4O,CAAC;;;;;;;;;6BAAsN,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qCA5Fxe,CAAC;;;;;;;;;yCASpE,CAAC;;;;;;;;;;;;;;;yCAUF,CAAA;yCAAoD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCA2BtC,CAAC;qCAEf,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAgCJ,CAAF;qCAEE,CAAD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAUu4E,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAsmC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAg3F,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA28C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA20C,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAkvC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAo6B,CAAC;6BAA8C,CAAC;;;;;;;;;;;;;;;6BAAqY,CAAC;6BAA8C,CAAC;;;;;;;;;yBAA0O,CAAC;;;;;;;;;;;;;;;;;;qCAA2nB,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAA0vC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAyuC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qCAAwxC,CAAC;qCAAkD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAHz1hB;AAED,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC"}

package/dist/auth/config.js

@@ -1,78 +0,0 @@
-// cairn-core: the better-auth instance. Auth is engine code (engine-fat rule), so the whole
-// config lives here: Drizzle/D1 adapter, magic-link (POST-confirm-shaped send), admin roles.
-// Instantiated PER REQUEST in hooks.server.ts (the D1 binding is request-scoped); the factory
-// is cheap (no I/O at construction).
-import { betterAuth } from 'better-auth';
-import { drizzleAdapter } from 'better-auth/adapters/drizzle';
-import { drizzle } from 'drizzle-orm/d1';
-import { magicLink, admin } from 'better-auth/plugins';
-import { createAccessControl } from 'better-auth/plugins/access';
-import { defaultStatements } from 'better-auth/plugins/admin/access';
-import { sendMagicLink } from '../email';
-import * as schema from './schema';
-// Two-tier roles on the admin plugin's access-control system: `owner` holds every admin
-// statement (manage editors, revoke sessions); `editor` holds none (content-only). `adminRoles`
-// must name a role defined here, so owner (not the plugin's built-in `admin`) is the gate.
-const ac = createAccessControl(defaultStatements);
-const owner = ac.newRole(defaultStatements);
-const editor = ac.newRole({});
-/**
- * The shared better-auth config. Kept separate from `createAuth` so the test harness can run
- * the EXACT plugin set (allowlist semantics, expiry, POST-confirm send) over an in-memory
- * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist:
- * magic-link never auto-creates, so the only way in is the owner-gated admin `createUser`
- * (see auth/admins.ts). `adminRoles:['owner']` lets owners (not the default `admin` role)
- * drive the admin API. Tokens are stored hashed and consumed atomically on first verify
- * (better-auth GHSA-hc7v-rggr-4hvx), single-use by construction (C1).
- */
-export function buildAuth(opts) {
-    return betterAuth({
-        appName: opts.branding.siteName,
-        secret: opts.secret,
-        baseURL: opts.baseURL,
-        trustedOrigins: [opts.baseURL],
-        database: opts.database,
-        plugins: [
-            magicLink({
-                disableSignUp: true,
-                expiresIn: 600,
-                storeToken: 'hashed',
-                sendMagicLink: async ({ email, token }, ctx) => {
-                    // Allowlist gate: better-auth always fires this callback (even for unknown emails, to
-                    // avoid enumeration) and only blocks user creation at verify. So gate the actual send
-                    // here. Never email a non-editor. The login UI shows neutral copy either way, so this
-                    // leaks nothing; it just stops strangers receiving a dead link.
-                    const existing = await ctx?.context.internalAdapter.findUserByEmail(email);
-                    if (!existing?.user)
-                        return;
-                    await opts.sendLink(email, token);
-                },
-            }),
-            admin({ ac, roles: { owner, editor }, defaultRole: 'editor', adminRoles: ['owner'] }),
-        ],
-    });
-}
-/**
- * Build the per-request better-auth instance over the site's D1 binding. The magic-link email
- * points at OUR confirm page carrying only the token; consumption happens when the user clicks
- * "Confirm sign-in" there (a POST), never on a scanner GET (C2 / POST-confirm). The origin is
- * config-derived (`PUBLIC_ORIGIN`/`BETTER_AUTH_URL`), never request-derived (H3).
- */
-export function createAuth(env, branding) {
-    if (!env.AUTH_DB)
-        throw new Error('AUTH_DB (D1) binding is required');
-    const origin = env.PUBLIC_ORIGIN || env.BETTER_AUTH_URL || 'http://localhost';
-    const db = drizzle(env.AUTH_DB, { schema });
-    return buildAuth({
-        database: drizzleAdapter(db, { provider: 'sqlite', schema }),
-        baseURL: origin,
-        secret: env.AUTH_SECRET,
-        branding,
-        sendLink: async (email, token) => {
-            if (!env.EMAIL)
-                throw new Error('EMAIL binding is required to send magic links');
-            const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-            await sendMagicLink(env.EMAIL, email, link, branding.siteName, branding.sender);
-        },
-    });
-}

package/dist/auth/guard.d.ts

@@ -1,34 +0,0 @@
-import type { Auth } from './config';
-/** The session shape the whole admin reads: layout, guards, content fns, manage-editors. */
-export interface CairnUser {
-    id: string;
-    email: string;
-    name: string;
-    role: 'owner' | 'editor';
-}
-/** Read the better-auth session into a cairn user (or null). */
-export declare function loadSession(auth: Auth, request: Request): Promise<CairnUser | null>;
-export declare function requireSession(user: CairnUser | null): CairnUser;
-type ConfirmEvent = {
-    request: Request;
-    locals: {
-        auth: Auth;
-    };
-    url: URL;
-};
-/**
- * POST-confirm verification (C2). Invoked from the confirm page's POST action: proxies the
- * token to better-auth's GET verify endpoint via the per-request handler, then forwards the
- * resulting Set-Cookie(s) onto a 303 to /admin. Scanners GET the confirm *page* (nothing is
- * consumed); only this explicit POST consumes the token.
- */
-export declare function confirmSignIn(event: ConfirmEvent): Promise<Response>;
-/** Sign out via better-auth, forwarding the session-clearing cookies, then 303 to login. */
-export declare function signOut(event: {
-    request: Request;
-    locals: {
-        auth: Auth;
-    };
-}): Promise<Response>;
-export {};
-//# sourceMappingURL=guard.d.ts.map

package/dist/auth/guard.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../../src/lib/auth/guard.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAErC,4FAA4F;AAC5F,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC1B;AAED,gEAAgE;AAChE,wBAAsB,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAKzF;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAGhE;AAED,KAAK,YAAY,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AAE3E;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,CAa1E;AAED,4FAA4F;AAC5F,wBAAsB,OAAO,CAAC,KAAK,EAAE;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAQpG"}

package/dist/auth/guard.js

@@ -1,47 +0,0 @@
-// cairn-core: server-side auth helpers the site route shims delegate to. Each takes the
-// SvelteKit event, typed structurally so the package never depends on a site's generated
-// `App.*` ambient types, plus the per-request `Auth` from `locals`.
-import { redirect } from '@sveltejs/kit';
-/** Read the better-auth session into a cairn user (or null). */
-export async function loadSession(auth, request) {
-    const session = await auth.api.getSession({ headers: request.headers });
-    if (!session?.user)
-        return null;
-    const u = session.user;
-    return { id: u.id, email: u.email, name: u.name, role: u.role === 'owner' ? 'owner' : 'editor' };
-}
-export function requireSession(user) {
-    if (!user)
-        throw redirect(303, '/admin/login');
-    return user;
-}
-/**
- * POST-confirm verification (C2). Invoked from the confirm page's POST action: proxies the
- * token to better-auth's GET verify endpoint via the per-request handler, then forwards the
- * resulting Set-Cookie(s) onto a 303 to /admin. Scanners GET the confirm *page* (nothing is
- * consumed); only this explicit POST consumes the token.
- */
-export async function confirmSignIn(event) {
-    const form = await event.request.formData();
-    const token = String(form.get('token') ?? '');
-    if (!token)
-        throw redirect(303, '/admin/login?error=expired');
-    const verifyUrl = `${event.url.origin}/api/auth/magic-link/verify?token=${encodeURIComponent(token)}&callbackURL=/admin`;
-    const res = await event.locals.auth.handler(new Request(verifyUrl, { headers: event.request.headers }));
-    const cookies = res.headers.getSetCookie();
-    if (cookies.length === 0)
-        throw redirect(303, '/admin/login?error=expired');
-    const headers = new Headers({ location: '/admin' });
-    for (const cookie of cookies)
-        headers.append('set-cookie', cookie);
-    return new Response(null, { status: 303, headers });
-}
-/** Sign out via better-auth, forwarding the session-clearing cookies, then 303 to login. */
-export async function signOut(event) {
-    const origin = new URL(event.request.url).origin;
-    const res = await event.locals.auth.handler(new Request(`${origin}/api/auth/sign-out`, { method: 'POST', headers: event.request.headers }));
-    const headers = new Headers({ location: '/admin/login' });
-    for (const cookie of res.headers.getSetCookie())
-        headers.append('set-cookie', cookie);
-    return new Response(null, { status: 303, headers });
-}

package/dist/auth/index.d.ts

@@ -1,5 +0,0 @@
-export { createAuth, type Auth, type AuthEnv, type AuthBranding } from './config';
-export { loadSession, requireSession, confirmSignIn, signOut, type CairnUser } from './guard';
-export { adminsLoad, addAdmin, removeAdmin, setAdminRole, requireOwner, type AdminsData } from './admins';
-export { can, requireCapability, type Capability } from './capabilities';
-//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/auth/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,KAAK,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,UAAU,CAAC;AAClF,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,SAAS,CAAC;AAC9F,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AAC1G,OAAO,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,UAAU,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/auth/index.js

@@ -1,7 +0,0 @@
-// Public surface of `@glw907/cairn-cms/auth`: the per-request factory + server-side helpers
-// the site route shims and hooks delegate to. The browser client is intentionally NOT here
-// (it lives component-local in LoginPage to keep better-auth's deep client types out of dist).
-export { createAuth } from './config';
-export { loadSession, requireSession, confirmSignIn, signOut } from './guard';
-export { adminsLoad, addAdmin, removeAdmin, setAdminRole, requireOwner } from './admins';
-export { can, requireCapability } from './capabilities';