@glw907/cairn-cms 0.5.1 → 0.6.0-rc.1

package/dist/github.js

@@ -1,171 +0,0 @@
-// cairn-core: read and write repository content through the GitHub API.
-//
-// Reads (Pass B) list a collection directory and fetch a file's raw markdown; the token
-// is optional because ecnordic's repo is public. Writes (Pass C) mint a short-lived
-// GitHub App installation token (App JWT, RS256 signed with Web Crypto, no octokit
-// dependency) and commit through the contents API with author = editor, committer = the
-// App (cairn-cms[bot]). The same token also lifts reads to the authenticated rate limit
-// and unlocks private repos (e.g. 907-life).
-import { bytesToB64url } from './utils';
-const API = 'https://api.github.com';
-function ghHeaders(accept, token) {
-    const headers = {
-        Accept: accept,
-        'User-Agent': 'cairn-cms',
-        'X-GitHub-Api-Version': '2022-11-28',
-    };
-    if (token)
-        headers.Authorization = `Bearer ${token}`;
-    return headers;
-}
-/** Build the contents-API URL for a repo path, pinned to the configured branch. */
-export function contentsUrl(repo, path) {
-    const clean = path.replace(/^\/+|\/+$/g, '');
-    return `${API}/repos/${repo.owner}/${repo.repo}/contents/${clean}?ref=${encodeURIComponent(repo.branch)}`;
-}
-/** Keep only markdown files from a contents-API directory listing, newest id first. */
-export function markdownFiles(entries) {
-    return entries
-        .filter((entry) => entry.type === 'file' && entry.name.endsWith('.md'))
-        .map((entry) => ({ id: entry.name.replace(/\.md$/, ''), name: entry.name, path: entry.path }))
-        .sort((a, b) => b.id.localeCompare(a.id));
-}
-/** List the markdown files in a collection directory. */
-export async function listMarkdown(repo, dir, token) {
-    const res = await fetch(contentsUrl(repo, dir), { headers: ghHeaders('application/vnd.github+json', token) });
-    if (!res.ok)
-        throw new Error(`GitHub list ${dir} failed: ${res.status}`);
-    return markdownFiles((await res.json()));
-}
-/** Fetch a file's raw markdown, or null if it does not exist. */
-export async function readRaw(repo, path, token) {
-    const res = await fetch(contentsUrl(repo, path), { headers: ghHeaders('application/vnd.github.raw', token) });
-    if (res.status === 404)
-        return null;
-    if (!res.ok)
-        throw new Error(`GitHub read ${path} failed: ${res.status}`);
-    return res.text();
-}
-// --- Write path: GitHub App auth + commit (Pass C) -------------------------------------
-const encoder = new TextEncoder();
-// TextEncoder/atob produce Uint8Arrays whose generic buffer type no longer satisfies
-// Web Crypto's BufferSource under strict lib types; hand the underlying ArrayBuffer over.
-function buf(bytes) {
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-/** DER length octets for a value of `n` bytes (short form < 128, else long form). */
-function derLength(n) {
-    if (n < 0x80)
-        return [n];
-    const out = [];
-    for (let v = n; v > 0; v >>= 8)
-        out.unshift(v & 0xff);
-    return [0x80 | out.length, ...out];
-}
-// AlgorithmIdentifier for rsaEncryption (OID 1.2.840.113549.1.1.1) with NULL parameters.
-const RSA_ALG_ID = [0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00];
-/** Wrap a PKCS#1 RSAPrivateKey (DER) as PKCS#8 (the only RSA form Web Crypto importKey takes). */
-function pkcs1ToPkcs8(pkcs1) {
-    const octet = [0x04, ...derLength(pkcs1.length), ...pkcs1];
-    const body = [0x02, 0x01, 0x00, ...RSA_ALG_ID, ...octet];
-    return Uint8Array.from([0x30, ...derLength(body.length), ...body]);
-}
-/** Decode a PEM private key to PKCS#8 DER, converting from PKCS#1 (GitHub's format) if needed. */
-function pemToPkcs8(pem) {
-    const b64 = pem.replace(/-----[^-]+-----/g, '').replace(/\s+/g, '');
-    const der = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
-    return pem.includes('RSA PRIVATE KEY') ? pkcs1ToPkcs8(der) : der;
-}
-/** Mint a GitHub App JWT (RS256), valid ~9 min, with `iat` backdated for clock skew. */
-export async function appJwt(appId, privateKeyPem) {
-    const now = Math.floor(Date.now() / 1000);
-    const header = bytesToB64url(encoder.encode(JSON.stringify({ alg: 'RS256', typ: 'JWT' })));
-    const payload = bytesToB64url(encoder.encode(JSON.stringify({ iat: now - 60, exp: now + 540, iss: appId })));
-    const signingInput = `${header}.${payload}`;
-    const key = await crypto.subtle.importKey('pkcs8', buf(pemToPkcs8(privateKeyPem)), { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['sign']);
-    const sig = await crypto.subtle.sign('RSASSA-PKCS1-v1_5', key, buf(encoder.encode(signingInput)));
-    return `${signingInput}.${bytesToB64url(new Uint8Array(sig))}`;
-}
-/** Exchange the App JWT for a short-lived installation access token. */
-export async function installationToken(creds) {
-    const jwt = await appJwt(creds.appId, atob(creds.privateKeyB64));
-    const res = await fetch(`${API}/app/installations/${creds.installationId}/access_tokens`, {
-        method: 'POST',
-        headers: ghHeaders('application/vnd.github+json', jwt),
-    });
-    if (!res.ok)
-        throw new Error(`GitHub installation token failed: ${res.status}`);
-    return (await res.json()).token;
-}
-/** Standard (padded) base64 of UTF-8 text, as the contents API expects. */
-function toBase64(text) {
-    return btoa(Array.from(encoder.encode(text), (b) => String.fromCharCode(b)).join(''));
-}
-/** The current blob sha for a path, or null if the file does not yet exist. */
-export async function fileSha(repo, path, token) {
-    const res = await fetch(contentsUrl(repo, path), { headers: ghHeaders('application/vnd.github+json', token) });
-    if (res.status === 404)
-        return null;
-    if (!res.ok)
-        throw new Error(`GitHub stat ${path} failed: ${res.status}`);
-    return (await res.json()).sha;
-}
-/**
- * A concurrent edit lost the SHA race (C3): the file changed between the read and the PUT,
- * from another editor or the site's own CI. Thrown so callers can fail safe (re-fetch and ask
- * the editor to reapply) instead of surfacing a raw 409. Defined and caught inside the package
- * so `instanceof` is reliable (no peer-boundary identity split, unlike kit's `redirect`/`error`).
- */
-export class CommitConflictError extends Error {
-    path;
-    constructor(path) {
-        super(`Commit conflict on ${path}: it changed since it was opened`);
-        this.path = path;
-        this.name = 'CommitConflictError';
-    }
-}
-/**
- * Commit `content` to `path` on the configured branch via the contents API. Author is the
- * editor; committer is omitted so GitHub attributes it to the App (cairn-cms[bot]). Updates
- * the file in place when it exists (passing its sha), creates it otherwise. Returns the
- * commit sha. A stale-sha 409 (someone committed in between) becomes a `CommitConflictError`.
- */
-export async function commitFile(repo, path, content, opts, token) {
-    const sha = await fileSha(repo, path, token);
-    const url = `${API}/repos/${repo.owner}/${repo.repo}/contents/${path.replace(/^\/+|\/+$/g, '')}`;
-    const res = await fetch(url, {
-        method: 'PUT',
-        headers: { ...ghHeaders('application/vnd.github+json', token), 'Content-Type': 'application/json' },
-        body: JSON.stringify({
-            message: opts.message,
-            content: toBase64(content),
-            branch: repo.branch,
-            author: opts.author,
-            ...(sha ? { sha } : {}),
-        }),
-    });
-    // 409 = the blob sha we read is no longer current. Fail safe: the caller re-fetches and the
-    // editor reapplies. (Full three-way merge stays out of scope; see ARCHITECTURE §5.)
-    if (res.status === 409)
-        throw new CommitConflictError(path);
-    if (!res.ok)
-        throw new Error(`GitHub commit ${path} failed: ${res.status} ${await res.text()}`);
-    return (await res.json()).commit.sha;
-}
-/**
- * Deploy-time self-test for the GitHub App signer (M2): sign a dummy JWT with the configured
- * private key. Exercises the brittle PKCS#1→PKCS#8 conversion + Web Crypto import/sign without
- * any network call or secret in the result, so `/admin/healthz` catches a bad/rotated key
- * before an editor's save fails. Returns `{ ok: false, detail }` rather than throwing.
- */
-export async function signingSelfTest(appId, privateKeyB64) {
-    try {
-        const jwt = await appJwt(appId, atob(privateKeyB64));
-        if (jwt.split('.').length !== 3)
-            return { ok: false, detail: 'malformed JWT' };
-        return { ok: true };
-    }
-    catch (err) {
-        return { ok: false, detail: err instanceof Error ? err.message : 'sign failed' };
-    }
-}

package/dist/nav.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"nav.d.ts","sourceRoot":"","sources":["../src/lib/nav.ts"],"names":[],"mappings":"AAOA,8GAA8G;AAC9G,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAC;CACtB;AAED,+EAA+E;AAC/E,eAAO,MAAM,aAAa,MAAM,CAAC;AAEjC,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAuB3E;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,MAAM,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACpC,QAAQ,CAAC,EAAE;QACT,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;QAC/B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;CACH;AAED,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED,uGAAuG;AACvG,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAUvD;AAED,uGAAuG;AACvG,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAIzF;AAED;;;;;GAKG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,CAO1E"}

package/dist/slug.d.ts

@@ -1,7 +0,0 @@
-/**
- * Lowercase a title into a filename-safe slug stem.
- * Apostrophes are dropped so "Geoff's" becomes "geoffs" (no spurious hyphen).
- * All other non-alphanumeric runs become a single hyphen; leading/trailing hyphens are trimmed.
- */
-export declare function slugify(title: string): string;
-//# sourceMappingURL=slug.d.ts.map

package/dist/slug.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"slug.d.ts","sourceRoot":"","sources":["../src/lib/slug.ts"],"names":[],"mappings":"AAIA;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAM7C"}

package/dist/slug.js

@@ -1,15 +0,0 @@
-// cairn-core: derive a filename-safe slug stem from a human title, for the create-entry form.
-// The admin is filename-based (Pass E): this produces the editable stem an author can adjust,
-// matching the server-side SLUG_RE (lowercase alphanumerics and internal hyphens). Pure.
-/**
- * Lowercase a title into a filename-safe slug stem.
- * Apostrophes are dropped so "Geoff's" becomes "geoffs" (no spurious hyphen).
- * All other non-alphanumeric runs become a single hyphen; leading/trailing hyphens are trimmed.
- */
-export function slugify(title) {
-    return title
-        .toLowerCase()
-        .replace(/'/g, '')
-        .replace(/[^a-z0-9]+/g, '-')
-        .replace(/^-+|-+$/g, '');
-}

package/dist/utils.d.ts

@@ -1,3 +0,0 @@
-/** Encode bytes as unpadded base64url (RFC 4648 §5), the JWT/token wire format. */
-export declare function bytesToB64url(bytes: Uint8Array): string;
-//# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/lib/utils.ts"],"names":[],"mappings":"AAOA,mFAAmF;AACnF,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAGvD"}

package/dist/utils.js

@@ -1,11 +0,0 @@
-// cairn-core: internal encoding helpers shared across modules.
-//
-// Deliberately NOT re-exported from index.ts. These are implementation details of the
-// auth/github crypto, not part of the public API (auth.ts signs tokens, github.ts builds
-// the App JWT; both need base64url). Keeping them here stops bytesToB64url leaking through
-// the `export *` barrel.
-/** Encode bytes as unpadded base64url (RFC 4648 §5), the JWT/token wire format. */
-export function bytesToB64url(bytes) {
-    const binary = Array.from(bytes, (b) => String.fromCharCode(b)).join('');
-    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-}

package/src/lib/adapter.ts

@@ -1,144 +0,0 @@
-// cairn-core: the adapter contract each site implements.
-//
-// This is the single seam that lets one admin surface serve different designs. A site
-// supplies a `CairnAdapter` (see `src/lib/cairn.config.ts`) describing its backend repo,
-// its editable collections (folder + form fields + frontmatter validator), and its preview
-// plugin set. cairn-core never hard-codes a collection, tag, or directive; it reads them
-// from the adapter. Field descriptors are plain data so a load function can hand them to
-// the editor form across the server-to-client boundary.
-import type { PreviewPlugins } from './carta';
-import type { RepoRef } from './github';
-import type { ComponentRegistry } from './render';
-
-interface FieldBase {
-  /** Frontmatter key and form input name. */
-  name: string;
-  label: string;
-  required?: boolean;
-}
-
-export interface TextField extends FieldBase {
-  type: 'text';
-}
-export interface DateField extends FieldBase {
-  type: 'date';
-}
-export interface TextareaField extends FieldBase {
-  type: 'textarea';
-  rows?: number;
-}
-export interface BooleanField extends FieldBase {
-  type: 'boolean';
-}
-export interface TagsField extends FieldBase {
-  type: 'tags';
-  /** Controlled vocabulary rendered as checkboxes. */
-  options: readonly string[];
-}
-export interface FreeTagsField extends FieldBase {
-  type: 'freetags';
-  /** Free-form tags, edited as one comma-separated text input (no controlled vocabulary). */
-  placeholder?: string;
-}
-
-export type CairnField =
-  | TextField
-  | DateField
-  | TextareaField
-  | BooleanField
-  | TagsField
-  | FreeTagsField;
-
-export interface CairnCollection {
-  /** Route `[type]` segment and list key, e.g. `posts`. */
-  type: string;
-  label: string;
-  /**
-   * Editing shape. `story` (the default when absent) is a dated feed entry; `page` is a
-   * navigation-placed entry with a path-like slug and no date emphasis. Drives the create
-   * form and the editor header. Never gates editing capability: the palette and toolbar are
-   * available to both. (Pass K, R4.)
-   */
-  kind?: 'page' | 'story';
-  /** Repo-relative folder holding the collection's markdown files. */
-  dir: string;
-  /** Editor form fields, rendered in order. */
-  fields: CairnField[];
-  /** Validate raw frontmatter (from the form) into the on-disk object, throwing on error. */
-  validate(data: Record<string, unknown>, source: string): object;
-}
-
-/** A managed navigation menu, read from and committed to the site's YAML config file. */
-export interface NavMenuConfig {
-  /** Repo-relative path to the site-config YAML, e.g. 'src/lib/site.config.yaml'. */
-  configPath: string;
-  /** Key within the file's `menus` map, e.g. 'primary'. */
-  menuName: string;
-  /** Sidebar/admin label for the menu. */
-  label: string;
-  /** Max nesting depth allowed in the editor (1 = flat). Defaults to 2. */
-  maxDepth?: number;
-}
-
-export interface CairnAdapter {
-  /** Branding + magic-link email copy. */
-  siteName: string;
-  /** From: address for magic-link email (must be a domain-authenticated sender). */
-  sender: string;
-  /** The repository the admin reads content from and commits to. */
-  backend: RepoRef;
-  /** Site plugin set for the Carta preview (parity with the live render). */
-  preview: PreviewPlugins;
-  collections: CairnCollection[];
-  /**
-   * The site's component registry: the single declaration of its directive
-   * components (R10a). Rendering parity already flows through `preview`; this
-   * exposes the same registry so the editor's insert-component palette can read
-   * `registry.defs`. Optional: a site with no rich components (e.g. 907.life) may
-   * omit it or supply an empty registry.
-   */
-  registry?: ComponentRegistry;
-  /**
-   * The navigation menu this site manages from `/admin/nav` (R3/Pass L2). The menu lives in the
-   * site's git-committed YAML config (read at build time by the layout, committed back by the
-   * editor). Omit to hide the nav surface, the same opt-in shape as `registry`.
-   */
-  navMenu?: NavMenuConfig;
-}
-
-/** Look up a collection by its route segment, or undefined if the segment is unknown. */
-export function findCollection(adapter: CairnAdapter, type: string): CairnCollection | undefined {
-  return adapter.collections.find((collection) => collection.type === type);
-}
-
-/** Read raw frontmatter from a submitted form, decoding each value per its field type. */
-export function frontmatterFromForm(
-  collection: CairnCollection,
-  form: FormData,
-): Record<string, unknown> {
-  const data: Record<string, unknown> = {};
-  for (const field of collection.fields) {
-    switch (field.type) {
-      case 'boolean':
-        data[field.name] = form.get(field.name) === 'on';
-        break;
-      case 'tags':
-        data[field.name] = form.getAll(field.name).map(String);
-        break;
-      case 'freetags':
-        // One comma-separated input → trimmed, de-duplicated, non-empty tags.
-        data[field.name] = [
-          ...new Set(
-            String(form.get(field.name) ?? '')
-              .split(',')
-              .map((tag) => tag.trim())
-              .filter(Boolean),
-          ),
-        ];
-        break;
-      default:
-        data[field.name] = form.get(field.name);
-    }
-  }
-  return data;
-}

package/src/lib/auth/admins.ts

@@ -1,106 +0,0 @@
-// cairn-core: owner-gated editor management, on better-auth's admin API. The `user` table IS
-// the allowlist (disableSignUp ⇒ only listed emails can sign in), so add/remove editor = create/
-// remove user; role flips go through the admin plugin's access-control roles (owner/editor).
-// These run as SvelteKit form actions; each verifies the acting user is an owner first.
-import { redirect, error } from '@sveltejs/kit';
-import type { Auth } from './config';
-import type { CairnUser } from './guard';
-
-export interface AdminsData {
-  admins: CairnUser[];
-  /** Acting owner's email, so the UI can disable self-targeted remove/demote. */
-  self: string;
-  saved: boolean;
-  error: string | null;
-}
-
-const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
-
-/**
- * The privilege-escalation gate. better-auth's admin API also enforces this server-side (only
- * `owner` holds the admin statements), but checking `locals.user` here gives clean redirect/403
- * UX and lets the mutations guard self-lockout before calling the API. Returns the acting owner.
- */
-export function requireOwner(user: CairnUser | null): CairnUser {
-  if (!user) throw error(401, 'Not signed in');
-  if (user.role !== 'owner') throw error(403, 'Owner access required');
-  return user;
-}
-
-type Ev = { locals: { auth: Auth; user: CairnUser | null }; request: Request; url: URL };
-
-function asCairnUser(u: { id: string; email: string; name: string; role?: string | null }): CairnUser {
-  return { id: u.id, email: u.email, name: u.name, role: u.role === 'owner' ? 'owner' : 'editor' };
-}
-
-/** Find an editor by exact (lowercased) email, or undefined. */
-async function findByEmail(event: Ev, email: string): Promise<CairnUser | undefined> {
-  const res = await event.locals.auth.api.listUsers({
-    query: { searchValue: email, searchField: 'email', limit: 100 },
-    headers: event.request.headers,
-  });
-  const match = (res.users ?? []).find((u) => u.email.toLowerCase() === email);
-  return match ? asCairnUser(match) : undefined;
-}
-
-/** List the allowlist for the manage-editors page. Owner-only. */
-export async function adminsLoad(event: Ev): Promise<AdminsData> {
-  const owner = requireOwner(event.locals.user);
-  const res = await event.locals.auth.api.listUsers({
-    query: { limit: 200 },
-    headers: event.request.headers,
-  });
-  const admins = (res.users ?? []).map(asCairnUser).sort((a, b) => a.email.localeCompare(b.email));
-  return {
-    admins,
-    self: owner.email,
-    saved: event.url.searchParams.get('saved') === '1',
-    error: event.url.searchParams.get('error'),
-  };
-}
-
-/** Add an editor (create the user). Owner-only. */
-export async function addAdmin(event: Ev): Promise<never> {
-  requireOwner(event.locals.user);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const name = String(form.get('name') ?? '').trim();
-  const role = form.get('role') === 'owner' ? 'owner' : 'editor';
-  if (!EMAIL_RE.test(email) || !name) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent('Enter a valid email and name')}`);
-  }
-  // No password: a magic-link-only user (no credential account), per better-auth's createUser.
-  await event.locals.auth.api.createUser({ body: { email, name, role }, headers: event.request.headers });
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Remove an editor (delete the user). Owner-only; owners can't remove themselves (anti-lockout). */
-export async function removeAdmin(event: Ev): Promise<never> {
-  const owner = requireOwner(event.locals.user);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  if (email === owner.email) {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't remove yourself")}`);
-  }
-  const target = await findByEmail(event, email);
-  if (!target) throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-  await event.locals.auth.api.removeUser({ body: { userId: target.id }, headers: event.request.headers });
-  throw redirect(303, '/admin/admins?saved=1');
-}
-
-/** Change an editor's role. Owner-only; owners can't demote themselves (anti-lockout). */
-export async function setAdminRole(event: Ev): Promise<never> {
-  const owner = requireOwner(event.locals.user);
-  const form = await event.request.formData();
-  const email = String(form.get('email') ?? '').trim().toLowerCase();
-  const role = form.get('role') === 'owner' ? 'owner' : 'editor';
-  if (email === owner.email && role !== 'owner') {
-    throw redirect(303, `/admin/admins?error=${encodeURIComponent("You can't demote yourself")}`);
-  }
-  const target = await findByEmail(event, email);
-  if (!target) throw redirect(303, `/admin/admins?error=${encodeURIComponent('No such editor')}`);
-  await event.locals.auth.api.setRole({ body: { userId: target.id, role }, headers: event.request.headers });
-  // M3: revoke a demoted editor's live sessions so the privilege drop takes effect immediately.
-  await event.locals.auth.api.revokeUserSessions({ body: { userId: target.id }, headers: event.request.headers });
-  throw redirect(303, '/admin/admins?saved=1');
-}

package/src/lib/auth/capabilities.ts

@@ -1,35 +0,0 @@
-// cairn-core: capability checks. Management surfaces gate on a capability, not on a role name,
-// so the two-tier owner/editor model can grow finer capabilities (and a future role) additively.
-// Creating a page and changing the nav are structural acts, so they sit with owner; editing a
-// page's content and running the story feed are everyday editor work.
-import { error } from '@sveltejs/kit';
-import type { CairnUser } from './guard';
-
-export type Capability =
-  | 'story:create'
-  | 'story:edit'
-  | 'page:edit'
-  | 'page:create'
-  | 'nav:manage'
-  | 'user:manage';
-
-// One source of truth. `'all'` means every capability; otherwise the explicit grant list. A future
-// `manager` role is one more row here, no call-site changes.
-const CAPS_BY_ROLE: Record<CairnUser['role'], readonly Capability[] | 'all'> = {
-  owner: 'all',
-  editor: ['story:create', 'story:edit', 'page:edit'],
-};
-
-/** Does this user hold the capability? A signed-out (null) user holds nothing. */
-export function can(user: CairnUser | null, cap: Capability): boolean {
-  if (!user) return false;
-  const grants = CAPS_BY_ROLE[user.role];
-  return grants === 'all' || grants.includes(cap);
-}
-
-/** Assert the capability for a route load/action: 401 when signed out, 403 when under-privileged. */
-export function requireCapability(user: CairnUser | null, cap: Capability): CairnUser {
-  if (!user) throw error(401, 'Not signed in');
-  if (!can(user, cap)) throw error(403, 'You do not have permission to do that');
-  return user;
-}

package/src/lib/auth/config.ts

@@ -1,108 +0,0 @@
-// cairn-core: the better-auth instance. Auth is engine code (engine-fat rule), so the whole
-// config lives here: Drizzle/D1 adapter, magic-link (POST-confirm-shaped send), admin roles.
-// Instantiated PER REQUEST in hooks.server.ts (the D1 binding is request-scoped); the factory
-// is cheap (no I/O at construction).
-import { betterAuth } from 'better-auth';
-import { drizzleAdapter } from 'better-auth/adapters/drizzle';
-import { drizzle } from 'drizzle-orm/d1';
-import { magicLink, admin } from 'better-auth/plugins';
-import { createAccessControl } from 'better-auth/plugins/access';
-import { defaultStatements } from 'better-auth/plugins/admin/access';
-import type { D1Database } from '@cloudflare/workers-types';
-import { sendMagicLink, type EmailSender } from '../email';
-import * as schema from './schema';
-
-// Two-tier roles on the admin plugin's access-control system: `owner` holds every admin
-// statement (manage editors, revoke sessions); `editor` holds none (content-only). `adminRoles`
-// must name a role defined here, so owner (not the plugin's built-in `admin`) is the gate.
-const ac = createAccessControl(defaultStatements);
-const owner = ac.newRole(defaultStatements);
-const editor = ac.newRole({});
-
-/** Worker bindings + vars the auth layer reads (a structural subset of `Platform.env`). */
-export interface AuthEnv {
-  AUTH_DB?: D1Database;
-  AUTH_SECRET?: string;
-  /** Canonical origin; `BETTER_AUTH_URL` is accepted as a legacy alias. */
-  PUBLIC_ORIGIN?: string;
-  /** Legacy alias for `PUBLIC_ORIGIN`; `PUBLIC_ORIGIN` takes precedence when both are set. */
-  BETTER_AUTH_URL?: string;
-  EMAIL?: EmailSender;
-}
-
-/** Branding the magic-link email needs; threaded from the site adapter via hooks. */
-export interface AuthBranding {
-  siteName: string;
-  /** The `From:` address used when sending magic-link emails. */
-  sender: string;
-}
-
-/** The drizzle adapter result `betterAuth` consumes (same provider/schema everywhere). */
-type DrizzleDb = Parameters<typeof drizzleAdapter>[0];
-
-/**
- * The shared better-auth config. Kept separate from `createAuth` so the test harness can run
- * the EXACT plugin set (allowlist semantics, expiry, POST-confirm send) over an in-memory
- * SQLite instead of D1. `disableSignUp:true` makes the `user` table the editor allowlist:
- * magic-link never auto-creates, so the only way in is the owner-gated admin `createUser`
- * (see auth/admins.ts). `adminRoles:['owner']` lets owners (not the default `admin` role)
- * drive the admin API. Tokens are stored hashed and consumed atomically on first verify
- * (better-auth GHSA-hc7v-rggr-4hvx), single-use by construction (C1).
- */
-export function buildAuth(opts: {
-  database: DrizzleDb;
-  baseURL: string;
-  secret: string | undefined;
-  branding: AuthBranding;
-  sendLink: (email: string, token: string) => Promise<void>;
-}) {
-  return betterAuth({
-    appName: opts.branding.siteName,
-    secret: opts.secret,
-    baseURL: opts.baseURL,
-    trustedOrigins: [opts.baseURL],
-    database: opts.database,
-    plugins: [
-      magicLink({
-        disableSignUp: true,
-        expiresIn: 600,
-        storeToken: 'hashed',
-        sendMagicLink: async ({ email, token }, ctx) => {
-          // Allowlist gate: better-auth always fires this callback (even for unknown emails, to
-          // avoid enumeration) and only blocks user creation at verify. So gate the actual send
-          // here. Never email a non-editor. The login UI shows neutral copy either way, so this
-          // leaks nothing; it just stops strangers receiving a dead link.
-          const existing = await ctx?.context.internalAdapter.findUserByEmail(email);
-          if (!existing?.user) return;
-          await opts.sendLink(email, token);
-        },
-      }),
-      admin({ ac, roles: { owner, editor }, defaultRole: 'editor', adminRoles: ['owner'] }),
-    ],
-  });
-}
-
-/**
- * Build the per-request better-auth instance over the site's D1 binding. The magic-link email
- * points at OUR confirm page carrying only the token; consumption happens when the user clicks
- * "Confirm sign-in" there (a POST), never on a scanner GET (C2 / POST-confirm). The origin is
- * config-derived (`PUBLIC_ORIGIN`/`BETTER_AUTH_URL`), never request-derived (H3).
- */
-export function createAuth(env: AuthEnv, branding: AuthBranding) {
-  if (!env.AUTH_DB) throw new Error('AUTH_DB (D1) binding is required');
-  const origin = env.PUBLIC_ORIGIN || env.BETTER_AUTH_URL || 'http://localhost';
-  const db = drizzle(env.AUTH_DB, { schema });
-  return buildAuth({
-    database: drizzleAdapter(db, { provider: 'sqlite', schema }),
-    baseURL: origin,
-    secret: env.AUTH_SECRET,
-    branding,
-    sendLink: async (email, token) => {
-      if (!env.EMAIL) throw new Error('EMAIL binding is required to send magic links');
-      const link = `${origin}/admin/auth/confirm?token=${encodeURIComponent(token)}`;
-      await sendMagicLink(env.EMAIL, email, link, branding.siteName, branding.sender);
-    },
-  });
-}
-
-export type Auth = ReturnType<typeof createAuth>;