@glw907/cairn-cms 0.50.0 → 0.51.0

package/dist/doctor/check-probe.js

@@ -0,0 +1,123 @@
+// The doctor's opt-in live probe (--probe): one GET and one POST against a deployed admin,
+// asserting the envelope a working sign-in presents. Zero side effects by construction: the
+// POST submits a random non-editor address, and the engine's non-leak design answers a
+// non-editor with the identical sent body while sending no email and minting no token, so the
+// probe leaves nothing behind on the site. A factory rather than a check constant, the same
+// shape as the live send: the check exists only when the bin receives --probe.
+import { fail, pass, skip } from './types.js';
+import { csrfCookieName } from '../auth/crypto.js';
+import { readWranglerConfig } from './wrangler-config.js';
+const NO_URL = skip('pass --probe <url>, set PUBLIC_ORIGIN in the wrangler vars, or set PUBLIC_ORIGIN in the environment');
+/** Build the live-probe check. A missing url falls back to the PUBLIC_ORIGIN input at run time. */
+export function liveProbeCheck(url) {
+    return {
+        id: 'admin.login-probe',
+        conditionId: 'admin.login-probe-failed',
+        title: 'Live admin login probe',
+        async run(ctx) {
+            // The wrangler vars hold the value the deployed Worker reads, so they beat the local
+            // environment, the same precedence the public-origin check applies.
+            const base = url ?? (await readWranglerConfig(ctx.readFile))?.publicOrigin ?? ctx.publicOrigin;
+            if (base === undefined)
+                return NO_URL;
+            let origin;
+            try {
+                origin = new URL(base);
+            }
+            catch {
+                return fail(`probe URL does not parse: ${base}`);
+            }
+            try {
+                return await probe(ctx, origin);
+            }
+            catch (err) {
+                return fail(String(err));
+            }
+        },
+    };
+}
+/** GET /admin/login and assert the sign-in envelope, then hand the harvested token pair on. */
+async function probe(ctx, origin) {
+    const res = await ctx.fetch(String(new URL('/admin/login', origin)));
+    if (res.status !== 200) {
+        return fail(`GET /admin/login returned ${res.status}, expected 200`);
+    }
+    const cookieName = csrfCookieName(origin.protocol === 'https:');
+    const cookieValue = setCookieValue(res.headers.getSetCookie(), cookieName);
+    if (cookieValue === undefined) {
+        return fail(`GET /admin/login set no ${cookieName} cookie`);
+    }
+    const html = await res.text();
+    const field = csrfFieldValue(html);
+    if (field === undefined) {
+        return fail('the login page carries no name="csrf" hidden field with a value');
+    }
+    if (!/<form[^>]*action="[^"]*\?\/request"/.test(html)) {
+        return fail('the login page carries no form posting the ?/request action');
+    }
+    return postRequestAction(ctx, origin, `${cookieName}=${cookieValue}`, field);
+}
+/** The named cookie's value from the Set-Cookie lines, or undefined when no line names it. */
+function setCookieValue(lines, name) {
+    for (const line of lines) {
+        const eq = line.indexOf('=');
+        if (eq === -1 || line.slice(0, eq).trim() !== name)
+            continue;
+        const rest = line.slice(eq + 1);
+        const semi = rest.indexOf(';');
+        return semi === -1 ? rest : rest.slice(0, semi);
+    }
+    return undefined;
+}
+/** The csrf hidden field's value, tolerant of attribute order, or undefined when absent or empty. */
+function csrfFieldValue(html) {
+    const input = (html.match(/<input[^>]*>/g) ?? []).find((tag) => /name="csrf"/.test(tag));
+    if (input === undefined)
+        return undefined;
+    return /value="([^"]+)"/.exec(input)?.[1];
+}
+/**
+ * POST the request action and read its serialized result. The address is random and non-editor
+ * at the reserved example.invalid domain, so even a delivery bug could send nothing anywhere,
+ * and the engine's non-leak design makes the response indistinguishable from a real send.
+ */
+async function postRequestAction(ctx, origin, cookie, csrf) {
+    const email = `cairn-doctor-probe-${Math.random().toString(36).slice(2, 10)}@example.invalid`;
+    const res = await ctx.fetch(String(new URL('/admin/login?/request', origin)), {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/x-www-form-urlencoded',
+            cookie,
+        },
+        body: new URLSearchParams({ email, csrf }).toString(),
+    });
+    if (res.status !== 200) {
+        return fail(`POST ?/request returned ${res.status}, expected 200`);
+    }
+    // A no-Accept action POST answers with SvelteKit's serialized form-action JSON, shaped
+    // {"type":"success","status":200,"data":"<devalue array string>"}. The data field is a
+    // devalue encoding the probe reads by containment for the status literals, tolerant of
+    // encoding details it does not own, instead of pulling in a devalue parser.
+    let envelope;
+    try {
+        envelope = (await res.json());
+    }
+    catch {
+        return fail('POST ?/request did not answer with the serialized action JSON');
+    }
+    if (envelope.type !== 'success') {
+        return fail(`POST ?/request answered type ${String(envelope.type)}, expected success`);
+    }
+    const data = typeof envelope.data === 'string' ? envelope.data : '';
+    if (data.includes('"send_error"')) {
+        return fail('the request action answered send_error; the magic-link send path is failing (see the email checks and the auth.link.send_failed log records)');
+    }
+    // Every payload carries the "sent" field name, so the distinct status spellings go first.
+    if (data.includes('"throttled"')) {
+        return pass(`sign-in envelope verified at ${origin.origin}; the request action answered throttled (a real cooldown window is active), which still proves the path`);
+    }
+    if (data.includes('"sent"')) {
+        return pass(`sign-in envelope verified at ${origin.origin}; the request action answered sent for a non-editor probe address`);
+    }
+    return fail('POST ?/request answered success with an unrecognized payload');
+}

package/dist/doctor/checks-github.js

@@ -17,7 +17,7 @@ export const githubApp = {
             return skip('set GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, and GITHUB_APP_PRIVATE_KEY_B64 to run this check');
         }
         if (!ctx.repo) {
-            return skip('pass --repo or set GITHUB_REPO to run this check');
+            return skip('pass --repo, set GITHUB_REPO, or configure the cairnManifest plugin so the doctor can read the adapter');
         }
         const creds = appCredentials({ appId: ctx.github.appId, installationId: ctx.github.installationId }, { GITHUB_APP_PRIVATE_KEY_B64: ctx.github.privateKeyB64 });
         // Stage 1: the key parse and sign, through the deploy-time self-test. Its detail is a

package/dist/doctor/checks-local.d.ts

@@ -2,4 +2,5 @@ import type { DoctorCheck } from './types.js';
 export declare const configBindings: DoctorCheck;
 export declare const configObservability: DoctorCheck;
 export declare const configCsrfDisable: DoctorCheck;
+export declare const configPublicOrigin: DoctorCheck;
 export declare const configSiteConfig: DoctorCheck;

package/dist/doctor/checks-local.js

@@ -1,8 +1,9 @@
 // The doctor's local-config checks: the wrangler bindings, the observability sink, the
-// svelte.config CSRF handoff, and the site-config validation. Every read goes through the
-// injected ctx.readFile, so the tests pass fixtures and the bin passes node:fs.
+// svelte.config CSRF handoff, the site-config validation, and the public origin. Every read
+// goes through the injected ctx.readFile, so the tests pass fixtures and the bin passes node:fs.
 import { fail, pass, skip } from './types.js';
 import { readWranglerConfig } from './wrangler-config.js';
+import { requireOrigin } from '../env.js';
 import { parseSiteConfig, urlPolicyFrom } from '../nav/site-config.js';
 import { normalizeConcepts } from '../content/concepts.js';
 import { defineFields } from '../content/schema.js';
@@ -78,6 +79,31 @@ export const configCsrfDisable = {
         return pass('checkOrigin: false found and the hooks file wires the cairn guard (heuristic text read)');
     },
 };
+export const configPublicOrigin = {
+    id: 'config.public-origin',
+    conditionId: 'config.public-origin-invalid',
+    title: 'Public origin',
+    async run(ctx) {
+        // The wrangler vars hold the value the deployed Worker reads, so they beat the local
+        // environment; the env fallback covers a dashboard-set var the file never carries.
+        const facts = await readWranglerConfig(ctx.readFile);
+        const fromVars = facts?.publicOrigin;
+        const origin = fromVars ?? ctx.publicOrigin;
+        if (facts === null && origin === undefined) {
+            return skip('no wrangler config found and PUBLIC_ORIGIN is not in the environment');
+        }
+        // requireOrigin is the runtime rule (unset, not a URL, http off localhost); reusing it
+        // keeps the doctor and the Worker on one judgment.
+        try {
+            requireOrigin({ PUBLIC_ORIGIN: origin });
+        }
+        catch (err) {
+            return fail(err instanceof Error ? err.message : String(err));
+        }
+        const source = fromVars !== undefined ? 'wrangler vars' : 'environment';
+        return pass(`PUBLIC_ORIGIN is ${origin} (${source})`);
+    },
+};
 // Where sites keep site.config.yaml. The adapter's configPath is TypeScript the CLI cannot
 // evaluate, so the check probes the conventional spots instead (the repo root and the two
 // src locations the production sites use).

package/dist/doctor/cloudflare-api.js

@@ -5,8 +5,8 @@
 import { skip } from './types.js';
 export const CF_API = 'https://api.cloudflare.com/client/v4';
 export const NO_TOKEN = skip('set CLOUDFLARE_API_TOKEN to run this check');
-export const NO_FROM = skip('pass --from or set CAIRN_FROM to run this check');
-export const NO_ACCOUNT = skip('set CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID to run this check');
+export const NO_FROM = skip('pass --from, set CAIRN_FROM, or configure the cairnManifest plugin so the doctor can read the adapter');
+export const NO_ACCOUNT = skip('set CLOUDFLARE_API_TOKEN, and CLOUDFLARE_ACCOUNT_ID or a wrangler account_id, to run this check');
 export function cfGet(ctx, path) {
     return ctx.fetch(`${CF_API}${path}`, {
         headers: { authorization: `Bearer ${ctx.cfToken}` },

package/dist/doctor/index.d.ts

@@ -5,6 +5,9 @@ export interface DoctorArgs {
     from?: string;
     repo?: string;
     sendTest?: string;
+    /** The live admin probe: a URL when --probe carried one, true for the bare flag (probe the
+     *  PUBLIC_ORIGIN input), absent when the flag never appeared (the probe does not run). */
+    probe?: string | true;
 }
 /** Parse the bin's argv (long flags only). Throws with a usage line on anything unexpected. */
 export declare function parseArgs(argv: string[]): DoctorArgs;
@@ -15,9 +18,31 @@ export declare function parseArgs(argv: string[]): DoctorArgs;
  * readFile stay with the bin, which injects the real ones.
  */
 export declare function contextFromEnv(env: Record<string, string | undefined>, args: DoctorArgs, cwd: string): Omit<DoctorContext, 'fetch' | 'readFile'>;
+/** The lazy derivation sources the bin wires up: the adapter read through the consumer's own
+ *  Vite resolution and the wrangler config's account_id. Each runs only when an input it feeds
+ *  is still missing, so a doctor run with full flags touches neither. */
+export interface DerivationSources {
+    /** Returns { owner, repo, from } off the adapter, or null when nothing is derivable. */
+    adapterFacts: () => Promise<{
+        owner?: string;
+        repo?: string;
+        from?: string;
+    } | null>;
+    /** Returns the wrangler config's account_id, or undefined when none is declared. */
+    wranglerAccountId: () => Promise<string | undefined>;
+}
+/**
+ * Fill the context's missing inputs from the repo the doctor runs in: from and repo off the
+ * adapter, the account id off the wrangler config. An explicit flag or env value always wins
+ * (contextFromEnv already resolved those into ctx), each source runs lazily and only for
+ * inputs still missing, and a derivation failure leaves the input absent so its check skips
+ * with the usual remediation line instead of the doctor crashing. The API token is never
+ * derived; it stays env-only.
+ */
+export declare function deriveMissingInputs(ctx: Omit<DoctorContext, 'fetch' | 'readFile'>, sources: DerivationSources): Promise<Omit<DoctorContext, 'fetch' | 'readFile'>>;
 /**
- * The default registry: the four local-config checks, the four Cloudflare checks, and the
- * GitHub App chain. The live send is opt-in (--send-test) and never sits here; the bin appends
- * it. A fresh array per call, so that append mutates nothing shared.
+ * The default registry: the six local checks, the four Cloudflare checks, and the GitHub App
+ * chain. The live send is opt-in (--send-test) and never sits here; the bin appends it. A
+ * fresh array per call, so that append mutates nothing shared.
  */
 export declare function defaultChecks(): DoctorCheck[];

package/dist/doctor/index.js

@@ -1,9 +1,10 @@
-import { configBindings, configObservability, configCsrfDisable, configSiteConfig, } from './checks-local.js';
+import { configBindings, configObservability, configCsrfDisable, configSiteConfig, configPublicOrigin, } from './checks-local.js';
+import { configDependencyFloors } from './check-floors.js';
 import { emailSenderOnboarded, edgeHttpsForced, edgeHsts, authStore } from './checks-cloudflare.js';
 import { githubApp } from './checks-github.js';
 export { runDoctor } from './run.js';
 export { formatReport } from './report.js';
-const USAGE = 'Usage: cairn-doctor [--from <address>] [--repo <owner/name>] [--send-test <address>]';
+const USAGE = 'Usage: cairn-doctor [--from <address>] [--repo <owner/name>] [--send-test <address>] [--probe [url]]';
 const FLAGS = {
     '--from': 'from',
     '--repo': 'repo',
@@ -12,8 +13,16 @@ const FLAGS = {
 /** Parse the bin's argv (long flags only). Throws with a usage line on anything unexpected. */
 export function parseArgs(argv) {
     const args = {};
-    for (let i = 0; i < argv.length; i += 2) {
+    for (let i = 0; i < argv.length;) {
         const flag = argv[i];
+        // --probe alone is meaningful (probe the PUBLIC_ORIGIN input), so its value is optional.
+        if (flag === '--probe') {
+            const value = argv[i + 1];
+            const bare = value === undefined || value.startsWith('--');
+            args.probe = bare ? true : value;
+            i += bare ? 1 : 2;
+            continue;
+        }
         const key = FLAGS[flag];
         if (!key)
             throw new Error(`unknown argument ${flag}\n${USAGE}`);
@@ -22,6 +31,7 @@ export function parseArgs(argv) {
             throw new Error(`${flag} needs a value\n${USAGE}`);
         }
         args[key] = value;
+        i += 2;
     }
     return args;
 }
@@ -39,6 +49,7 @@ export function contextFromEnv(env, args, cwd) {
         repo: args.repo ?? env.GITHUB_REPO,
         cfToken: env.CLOUDFLARE_API_TOKEN,
         cfAccountId: env.CLOUDFLARE_ACCOUNT_ID,
+        publicOrigin: env.PUBLIC_ORIGIN,
         github: GITHUB_APP_ID && GITHUB_APP_INSTALLATION_ID && GITHUB_APP_PRIVATE_KEY_B64
             ? {
                 appId: GITHUB_APP_ID,
@@ -49,9 +60,37 @@ export function contextFromEnv(env, args, cwd) {
     };
 }
 /**
- * The default registry: the four local-config checks, the four Cloudflare checks, and the
- * GitHub App chain. The live send is opt-in (--send-test) and never sits here; the bin appends
- * it. A fresh array per call, so that append mutates nothing shared.
+ * Fill the context's missing inputs from the repo the doctor runs in: from and repo off the
+ * adapter, the account id off the wrangler config. An explicit flag or env value always wins
+ * (contextFromEnv already resolved those into ctx), each source runs lazily and only for
+ * inputs still missing, and a derivation failure leaves the input absent so its check skips
+ * with the usual remediation line instead of the doctor crashing. The API token is never
+ * derived; it stays env-only.
+ */
+export async function deriveMissingInputs(ctx, sources) {
+    const out = { ...ctx };
+    if (out.from === undefined || out.repo === undefined) {
+        const facts = await sources.adapterFacts().catch(() => null);
+        if (out.from === undefined && typeof facts?.from === 'string') {
+            out.from = facts.from;
+        }
+        if (out.repo === undefined &&
+            typeof facts?.owner === 'string' &&
+            typeof facts?.repo === 'string') {
+            out.repo = `${facts.owner}/${facts.repo}`;
+        }
+    }
+    if (out.cfAccountId === undefined) {
+        const accountId = await sources.wranglerAccountId().catch(() => undefined);
+        if (typeof accountId === 'string')
+            out.cfAccountId = accountId;
+    }
+    return out;
+}
+/**
+ * The default registry: the six local checks, the four Cloudflare checks, and the GitHub App
+ * chain. The live send is opt-in (--send-test) and never sits here; the bin appends it. A
+ * fresh array per call, so that append mutates nothing shared.
  */
 export function defaultChecks() {
     return [
@@ -59,6 +98,8 @@ export function defaultChecks() {
         configObservability,
         configCsrfDisable,
         configSiteConfig,
+        configPublicOrigin,
+        configDependencyFloors,
         emailSenderOnboarded,
         edgeHttpsForced,
         edgeHsts,

package/dist/doctor/types.d.ts

@@ -28,6 +28,8 @@ export interface DoctorContext {
     cfToken?: string;
     /** CLOUDFLARE_ACCOUNT_ID. */
     cfAccountId?: string;
+    /** PUBLIC_ORIGIN, the env fallback when the wrangler vars carry none. */
+    publicOrigin?: string;
     /** GITHUB_APP_ID / GITHUB_APP_INSTALLATION_ID / GITHUB_APP_PRIVATE_KEY_B64. */
     github?: {
         appId: string;

package/dist/doctor/wrangler-config.d.ts

@@ -8,5 +8,9 @@ export interface WranglerFacts {
     authDbId?: string;
     /** observability.enabled is true. */
     observabilityEnabled: boolean;
+    /** vars.PUBLIC_ORIGIN, when declared; the public-origin check validates it. */
+    publicOrigin?: string;
+    /** The top-level account_id, when declared; a fallback for CLOUDFLARE_ACCOUNT_ID. */
+    accountId?: string;
 }
 export declare function readWranglerConfig(readFile: DoctorContext['readFile']): Promise<WranglerFacts | null>;

package/dist/doctor/wrangler-config.js

@@ -71,6 +71,11 @@ function factsFromJsonc(text) {
     };
     if (typeof authDb?.database_id === 'string')
         facts.authDbId = authDb.database_id;
+    const vars = config.vars;
+    if (typeof vars?.PUBLIC_ORIGIN === 'string')
+        facts.publicOrigin = vars.PUBLIC_ORIGIN;
+    if (typeof config.account_id === 'string')
+        facts.accountId = config.account_id;
     return facts;
 }
 // The toml read is deliberately shallow: line-anchored matching for the three facts, not a
@@ -119,6 +124,12 @@ function factsFromToml(text) {
         else if (section === '[observability]' && key === 'enabled' && value.startsWith('true')) {
             facts.observabilityEnabled = true;
         }
+        else if (section === '[vars]' && key === 'PUBLIC_ORIGIN' && str !== undefined) {
+            facts.publicOrigin = str;
+        }
+        else if (section === '' && key === 'account_id' && str !== undefined) {
+            facts.accountId = str;
+        }
     }
     flushD1();
     return facts;

package/dist/env.d.ts

@@ -5,7 +5,8 @@ import type { D1Database } from '@cloudflare/workers-types';
  * The origin is always config-derived, never read from a request header, so a
  * forged Host header cannot redirect a magic link (spec 7.1, risk H3).
  *
- * @throws Error when `PUBLIC_ORIGIN` is unset or empty.
+ * @throws CairnError (`config.public-origin-invalid`) when `PUBLIC_ORIGIN` is unset or
+ * empty, fails to parse as a URL, or uses http on a non-local host.
  */
 export declare function requireOrigin(env: {
     PUBLIC_ORIGIN?: string;

package/dist/env.js

@@ -5,26 +5,31 @@ import { CairnError } from './diagnostics/index.js';
  * The origin is always config-derived, never read from a request header, so a
  * forged Host header cannot redirect a magic link (spec 7.1, risk H3).
  *
- * @throws Error when `PUBLIC_ORIGIN` is unset or empty.
+ * @throws CairnError (`config.public-origin-invalid`) when `PUBLIC_ORIGIN` is unset or
+ * empty, fails to parse as a URL, or uses http on a non-local host.
  */
 export function requireOrigin(env) {
     const origin = env.PUBLIC_ORIGIN;
     if (!origin) {
-        throw new Error('PUBLIC_ORIGIN is not configured');
+        throw new CairnError('config.public-origin-invalid', { message: 'PUBLIC_ORIGIN is not configured' });
     }
     let hostname;
     try {
         hostname = new URL(origin).hostname;
     }
     catch {
-        throw new Error(`PUBLIC_ORIGIN is not a valid URL, got ${origin}`);
+        throw new CairnError('config.public-origin-invalid', {
+            message: `PUBLIC_ORIGIN is not a valid URL, got ${origin}`,
+        });
     }
     // The magic-link origin must be https in production so the link and the __Host- cookie are
     // origin-bound. http is allowed only for local dev on localhost or 127.0.0.1, matched exactly so
     // a lookalike host like localhost.example.com cannot skip the https requirement.
     const isLocal = hostname === 'localhost' || hostname === '127.0.0.1';
     if (!origin.startsWith('https://') && !isLocal) {
-        throw new Error(`PUBLIC_ORIGIN must be https in production, got ${origin}`);
+        throw new CairnError('config.public-origin-invalid', {
+            message: `PUBLIC_ORIGIN must be https in production, got ${origin}`,
+        });
     }
     return origin;
 }

package/dist/index.d.ts

@@ -2,7 +2,7 @@ export { requireOrigin } from './env.js';
 export type { Role, Editor, AuthEnv } from './auth/types.js';
 export type { AuthBranding, MagicLinkMessage, SendMagicLink } from './email.js';
 export { buildMagicLinkMessage, cloudflareSend } from './email.js';
-export type { CairnAdapter, ConceptConfig, FrontmatterField, TextField, TextareaField, DateField, BooleanField, TagsField, FreeTagsField, ValidationResult, BackendConfig, SenderConfig, NavMenuConfig, AssetConfig, RoutingRule, ConceptDescriptor, ConceptUrlPolicy, CairnExtension, CairnRuntime, AdminPanel, FieldTypeDef, } from './content/types.js';
+export type { CairnAdapter, ConceptConfig, FrontmatterField, TextField, TextareaField, DateField, BooleanField, TagsField, FreeTagsField, ValidationResult, BackendConfig, SenderConfig, NavMenuConfig, PreviewConfig, ResolvedPreview, AssetConfig, RoutingRule, ConceptDescriptor, ConceptUrlPolicy, CairnExtension, CairnRuntime, AdminPanel, FieldTypeDef, } from './content/types.js';
 export { CONCEPT_ROUTING, normalizeConcepts, findConcept } from './content/concepts.js';
 export { composeRuntime } from './content/compose.js';
 export type { ComposeInput } from './content/compose.js';

package/dist/sveltekit/content-routes.d.ts

@@ -2,7 +2,7 @@ import { fail } from '@sveltejs/kit';
 import { type GithubKeyEnv } from '../github/credentials.js';
 import { type LinkTarget, type InboundLink } from '../content/manifest.js';
 import type { CookieJar, EventBase } from './types.js';
-import type { CairnRuntime, FrontmatterField } from '../content/types.js';
+import type { CairnRuntime, FrontmatterField, ResolvedPreview } from '../content/types.js';
 import type { Role } from '../auth/types.js';
 /** A sidebar concept entry: just enough to render the nav without shipping validators to the client. */
 export interface NavConcept {
@@ -87,6 +87,10 @@ export interface EditData {
     publishedFlash: boolean;
     /** True after a discard redirect (`?discarded=1`), for the confirmation strip. */
     discardedFlash: boolean;
+    /** The adapter's preview knob resolved for this entry's concept (its `byConcept` override,
+     *  when one exists, applied over the top-level values); null when the site sets none, which
+     *  leaves the frame rendering unstyled markup behind a hint. */
+    preview: ResolvedPreview | null;
 }
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
 export interface ContentEvent extends EventBase<GithubKeyEnv> {

package/dist/sveltekit/content-routes.js

@@ -16,12 +16,19 @@ import { emptyManifest, manifestEntryFromFile, parseManifest, serializeManifest,
 import { isConflict } from '../github/types.js';
 import { log } from '../log/index.js';
 import { issueCsrfToken } from './csrf.js';
-/** The signed-in editor the guard resolved, or a login redirect. Kept local to decouple event shapes. */
-function sessionOf(event) {
-    const editor = event.locals.editor;
-    if (!editor)
-        throw redirect(303, '/admin/login');
-    return editor;
+import { requireSession } from './guard.js';
+/** Resolve the effective preview for one concept: its `byConcept` override wins per key, with
+ *  nullish coalescing so an override key that is present but undefined keeps the top-level value.
+ *  Stylesheets are always shared, and the `byConcept` map never reaches the client. */
+function resolvePreview(preview, conceptId) {
+    if (!preview)
+        return null;
+    const override = preview.byConcept?.[conceptId];
+    return {
+        stylesheets: preview.stylesheets,
+        bodyClass: override?.bodyClass ?? preview.bodyClass,
+        containerClass: override?.containerClass ?? preview.containerClass,
+    };
 }
 /** Look up the concept named by the `[concept]` route param, or a 404. */
 function conceptOf(runtime, params) {
@@ -53,7 +60,7 @@ export function createContentRoutes(runtime, deps = {}) {
     /** Layout load for every admin page: the nav, the user, the active path, the resolved theme,
      *  and the pending entries behind the topbar's publish-all action. */
     async function layoutLoad(event) {
-        const editor = sessionOf(event);
+        const editor = requireSession(event);
         const cookieTheme = event.cookies?.get('cairn-admin-theme');
         const theme = cookieTheme === 'cairn-admin-dark' ? 'cairn-admin-dark' : 'cairn-admin';
         const cookieCollapsed = event.cookies?.get('cairn-admin-nav-collapsed');
@@ -137,7 +144,7 @@ export function createContentRoutes(runtime, deps = {}) {
      *  with no manifest row appends a `new` row read from its branch. A listing failure degrades
      *  to an inline error, not a thrown 500. */
     async function listLoad(event) {
-        sessionOf(event);
+        requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const formError = event.url.searchParams.get('error');
         const publishedAllRaw = event.url.searchParams.get('publishedAll');
@@ -181,7 +188,7 @@ export function createContentRoutes(runtime, deps = {}) {
     }
     /** Create a new entry: validate the slug, compose a dated id when the concept is dated, refuse to clobber. */
     async function createAction(event) {
-        sessionOf(event);
+        requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const form = await event.request.formData();
         const slug = String(form.get('slug') ?? '').trim() || slugify(String(form.get('title') ?? ''));
@@ -228,7 +235,7 @@ export function createContentRoutes(runtime, deps = {}) {
     }
     /** Open a file for editing. A `?new=1` miss yields a blank document; any other miss is a 404. */
     async function editLoad(event) {
-        sessionOf(event);
+        requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const id = event.params.id ?? '';
         if (!isValidId(id))
@@ -289,6 +296,7 @@ export function createContentRoutes(runtime, deps = {}) {
             published,
             publishedFlash: event.url.searchParams.get('published') === '1',
             discardedFlash: event.url.searchParams.get('discarded') === '1',
+            preview: resolvePreview(runtime.preview, concept.id),
         };
     }
     /** Log a failed commit: a conflict is the expected last-writer-wins outcome, so it warns with a
@@ -386,7 +394,7 @@ export function createContentRoutes(runtime, deps = {}) {
     /** Save an edit: validate, then commit to the entry's pending branch with the session editor
      *  as author. Main and its manifest stay untouched until publish. Fails safe on 409. */
     async function saveAction(event) {
-        const editor = sessionOf(event);
+        const editor = requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const id = event.params.id ?? '';
         // Confine the commit path to the concept dir, built from a validated id (the App token can
@@ -408,7 +416,7 @@ export function createContentRoutes(runtime, deps = {}) {
      *  The branch is deleted only when its head still matches the commit this action made; a
      *  concurrent save moved it, so the entry stays pending and the next publish picks it up. */
     async function publishAction(event) {
-        const editor = sessionOf(event);
+        const editor = requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const id = event.params.id ?? '';
         if (!isValidId(id))
@@ -442,7 +450,7 @@ export function createContentRoutes(runtime, deps = {}) {
      *  Mounted on the concept list shim, but the topbar posts here from anywhere, so the route's
      *  concept param is ignored and the redirect lands on the first configured concept. */
     async function publishAllAction(event) {
-        const editor = sessionOf(event);
+        const editor = requireSession(event);
         const first = runtime.concepts[0];
         if (!first)
             throw error(404, 'No content types configured');
@@ -521,7 +529,7 @@ export function createContentRoutes(runtime, deps = {}) {
     /** Discard an entry's pending edits: delete the branch (tolerant of already-gone) and return to
      *  the edit page when the entry lives on main, else to the list (the entry is gone entirely). */
     async function discardAction(event) {
-        const editor = sessionOf(event);
+        const editor = requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const id = event.params.id ?? '';
         if (!isValidId(id))
@@ -588,7 +596,7 @@ export function createContentRoutes(runtime, deps = {}) {
     }
     /** Delete an entry from its editor. The id comes from the route param. */
     async function deleteAction(event) {
-        const editor = sessionOf(event);
+        const editor = requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const id = event.params.id ?? '';
         if (!isValidId(id))
@@ -597,7 +605,7 @@ export function createContentRoutes(runtime, deps = {}) {
     }
     /** Delete an entry from the concept list. The id comes from the form body. */
     async function listDeleteAction(event) {
-        const editor = sessionOf(event);
+        const editor = requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const form = await event.request.formData();
         const id = String(form.get('id') ?? '');
@@ -610,7 +618,7 @@ export function createContentRoutes(runtime, deps = {}) {
      *  are the authoritative gate. The same last-writer-wins manifest race as save and delete applies,
      *  caught by the build's fail-closed backstop. */
     async function renameAction(event) {
-        const editor = sessionOf(event);
+        const editor = requireSession(event);
         const concept = conceptOf(runtime, event.params);
         const id = event.params.id ?? '';
         if (!isValidId(id))

package/dist/sveltekit/guard.d.ts

@@ -2,7 +2,13 @@ import type { Editor } from '../auth/types.js';
 import type { HandleInput, RequestContext } from './types.js';
 /** The SvelteKit `Handle` that guards `/admin/**` and hardens admin responses. */
 export declare function createAuthGuard(): ({ event, resolve }: HandleInput) => Promise<Response>;
-/** For a protected load/action: the session the guard already resolved, or a login redirect. */
-export declare function requireSession(event: RequestContext): Editor;
+/** For a protected load/action: the session the guard already resolved, or a login redirect.
+ *  The parameter is the minimal structural need (just `locals`), so every engine event shape
+ *  (RequestContext, the content routes' ContentEvent) and a real RequestEvent all satisfy it. */
+export declare function requireSession(event: {
+    locals: {
+        editor?: Editor | null;
+    };
+}): Editor;
 /** For the management surface: a signed-in owner, or 403 for an editor. */
 export declare function requireOwner(event: RequestContext): Editor;

package/dist/sveltekit/guard.js

@@ -80,7 +80,9 @@ export function createAuthGuard() {
         return response;
     };
 }
-/** For a protected load/action: the session the guard already resolved, or a login redirect. */
+/** For a protected load/action: the session the guard already resolved, or a login redirect.
+ *  The parameter is the minimal structural need (just `locals`), so every engine event shape
+ *  (RequestContext, the content routes' ContentEvent) and a real RequestEvent all satisfy it. */
 export function requireSession(event) {
     const editor = event.locals.editor;
     if (!editor)