@glw907/cairn-cms 0.50.0 → 0.51.0

package/src/lib/components/editor-highlight.ts

@@ -5,7 +5,7 @@ import { HighlightStyle } from '@codemirror/language';
 import { tags } from '@lezer/highlight';
 import { Decoration, ViewPlugin, type DecorationSet, type EditorView, type ViewUpdate } from '@codemirror/view';
 import { RangeSetBuilder } from '@codemirror/state';
-import { directiveLineKind, findInlineDirectives } from './markdown-directives.js';
+import { directiveLineKind, fenceDepths, findInlineDirectives } from './markdown-directives.js';
 
 /** Markdown token colors over the admin theme variables. */
 export function cairnHighlightStyle(): HighlightStyle {
@@ -27,19 +27,40 @@ export function cairnHighlightStyle(): HighlightStyle {
 // learns what the line is without leaving the page.
 const MACHINERY_HINT = 'Layout marker. Edit the text between these lines and leave this line as it is.';
 
-const fenceLine = Decoration.line({ class: 'cm-cairn-directive-fence', attributes: { title: MACHINERY_HINT } });
+// Nesting deeper than three steps shares the third visual step; the depth model itself is unbounded.
+const DEPTH_STEPS = [1, 2, 3];
+
+const fenceLines = DEPTH_STEPS.map((d) =>
+  Decoration.line({ class: `cm-cairn-directive-fence cm-cairn-depth-${d}`, attributes: { title: MACHINERY_HINT } }),
+);
+const contentLines = DEPTH_STEPS.map((d) => Decoration.line({ class: `cm-cairn-directive-content cm-cairn-depth-${d}` }));
 const leafLine = Decoration.line({ class: 'cm-cairn-directive-leaf', attributes: { title: MACHINERY_HINT } });
 const inlineMark = Decoration.mark({ class: 'cm-cairn-directive-inline' });
 
-function buildDirectiveDecorations(view: EditorView): DecorationSet {
+// Depth needs the whole document, since a visible line's containers can open above the viewport.
+// One regex pass per line, linear in the document; at admin entry sizes (tens of kilobytes) that
+// is well under a millisecond. The plugin caches the result, so the scan reruns only when the
+// document changes and a scroll rebuilds the viewport decorations from the cached array.
+function docDepths(view: EditorView): (number | null)[] {
+  const doc = view.state.doc;
+  const lines: string[] = [];
+  for (let n = 1; n <= doc.lines; n++) lines.push(doc.line(n).text);
+  return fenceDepths(lines);
+}
+
+function buildDirectiveDecorations(view: EditorView, depths: (number | null)[]): DecorationSet {
   const builder = new RangeSetBuilder<Decoration>();
   for (const { from, to } of view.visibleRanges) {
     for (let pos = from; pos <= to; ) {
       const line = view.state.doc.lineAt(pos);
       const kind = directiveLineKind(line.text);
-      if (kind === 'fence') builder.add(line.from, line.from, fenceLine);
+      const depth = Math.min(depths[line.number - 1] ?? 0, DEPTH_STEPS.length);
+      // A fence-shaped line at depth 0 is one the depth scan disowned (a documented example
+      // inside a code block, outside any container); it gets no machinery treatment.
+      if (kind === 'fence' && depth > 0) builder.add(line.from, line.from, fenceLines[depth - 1]);
       else if (kind === 'leaf') builder.add(line.from, line.from, leafLine);
-      else {
+      else if (kind === null) {
+        if (depth > 0) builder.add(line.from, line.from, contentLines[depth - 1]);
         for (const r of findInlineDirectives(line.text)) {
           builder.add(line.from + r.from, line.from + r.to, inlineMark);
         }
@@ -55,11 +76,15 @@ export function cairnDirectivePlugin() {
   return ViewPlugin.fromClass(
     class {
       decorations: DecorationSet;
+      depths: (number | null)[];
       constructor(view: EditorView) {
-        this.decorations = buildDirectiveDecorations(view);
+        this.depths = docDepths(view);
+        this.decorations = buildDirectiveDecorations(view, this.depths);
       }
       update(update: ViewUpdate) {
-        if (update.docChanged || update.viewportChanged) this.decorations = buildDirectiveDecorations(update.view);
+        if (update.docChanged) this.depths = docDepths(update.view);
+        if (update.docChanged || update.viewportChanged)
+          this.decorations = buildDirectiveDecorations(update.view, this.depths);
       }
     },
     { decorations: (v) => v.decorations },

package/src/lib/components/markdown-directives.ts

@@ -2,10 +2,19 @@
 // styled distinctly so an editor can tell component scaffolding from prose). Pure functions; the
 // CodeMirror decoration plugin wraps them.
 
-const FENCE = /^\s{0,3}:::+\s*[\w-]*\s*(\{[^}]*\})?\s*$/;
+// A container fence: three or more colons, then an optional name, an optional [label], and
+// optional {attrs}, in remark-directive order. The name is captured so the depth scan below can
+// tell an opener (named) from a closer (bare colons). Matching is tolerant of stray whitespace,
+// the same posture as the leaf form: a slightly off fence should still read as machinery.
+const FENCE = /^\s{0,3}:{3,}\s*([\w-]*)\s*(\[[^\]]*\])?\s*(\{[^}]*\})?\s*$/;
 const LEAF = /^\s{0,3}::[\w-]+(\[[^\]]*\])?(\{[^}]*\})?\s*$/;
 const INLINE = /(?<![:\w]):[\w-]+\[[^\]]*\](\{[^}]*\})?/g;
 
+// A fenced code block's delimiter: three or more backticks or tildes, indent-tolerant like the
+// directive forms. The depth scan tracks these so a documented ::: example inside a code block
+// never opens a real container.
+const CODE_FENCE = /^\s{0,3}(`{3,}|~{3,})/;
+
 /** Classify a whole line as a container fence, a leaf directive, or neither. */
 export function directiveLineKind(line: string): 'fence' | 'leaf' | null {
   if (FENCE.test(line)) return 'fence';
@@ -13,6 +22,47 @@ export function directiveLineKind(line: string): 'fence' | 'leaf' | null {
   return null;
 }
 
+/**
+ * The 1-based container depth each line sits at, or null outside any container. A named fence
+ * opens a container; a bare fence closes the most recent one (colon counts are not trusted for
+ * pairing, since authors vary them). An opener and its closer share the opener's depth, and a
+ * line between them carries the depth of its innermost container. Lines inside a fenced code
+ * block are plain content, so a documented ::: example cannot open a phantom container running
+ * to end of document. Author errors are tolerated: an unmatched closer reads as depth 1 and the
+ * count never goes below zero.
+ */
+export function fenceDepths(lines: string[]): (number | null)[] {
+  const depths: (number | null)[] = [];
+  let open = 0;
+  // The marker character that opened the current code block, or null outside one. Only a line
+  // opening with the same character closes it, so tildes inside a backtick block stay literal.
+  let codeMarker: string | null = null;
+  for (const line of lines) {
+    const code = CODE_FENCE.exec(line);
+    if (code) {
+      if (codeMarker === null) codeMarker = code[1][0];
+      else if (code[1][0] === codeMarker) codeMarker = null;
+      depths.push(open > 0 ? open : null);
+      continue;
+    }
+    if (codeMarker !== null) {
+      depths.push(open > 0 ? open : null);
+      continue;
+    }
+    const fence = FENCE.exec(line);
+    if (!fence) {
+      depths.push(open > 0 ? open : null);
+    } else if (fence[1]) {
+      open += 1;
+      depths.push(open);
+    } else {
+      depths.push(Math.max(open, 1));
+      if (open > 0) open -= 1;
+    }
+  }
+  return depths;
+}
+
 /** Inline directive ranges (`:name[...]{...}`) within a line of text. */
 export function findInlineDirectives(text: string): { from: number; to: number }[] {
   const out: { from: number; to: number }[] = [];

package/src/lib/components/preview-doc.ts

@@ -0,0 +1,82 @@
+// cairn-cms: the edit page's preview-frame document. The admin's chrome isolation keeps the
+// site's CSS out of the admin document, so EditPage renders the preview inside a sandboxed
+// iframe whose document links the site's own stylesheets from the adapter's preview knob. This
+// module builds that iframe's srcdoc as one pure string, so its shape is unit-testable, and it
+// carries the device table the frame's width control offers.
+
+import { escapeHtml } from '../escape.js';
+import type { ResolvedPreview } from '../content/types.js';
+
+/** One width the preview frame can take. */
+export interface PreviewDevice {
+  id: 'desktop' | 'tablet' | 'phone' | 'small';
+  /** The device menu label, also the frame caption's first half. */
+  label: string;
+  /** Frame width in CSS pixels; null fills the pane (Desktop). */
+  width: number | null;
+}
+
+/** A preview device's id, the value the page persists. */
+export type PreviewDeviceId = PreviewDevice['id'];
+
+/** The four widths the device menu offers, in menu order. Desktop leads as the default. */
+export const previewDevices: PreviewDevice[] = [
+  { id: 'desktop', label: 'Desktop', width: null },
+  { id: 'tablet', label: 'Tablet', width: 768 },
+  { id: 'phone', label: 'Phone', width: 390 },
+  { id: 'small', label: 'Small phone', width: 320 },
+];
+
+/** The table row for a device id. The id type makes a miss impossible; the fallback satisfies find. */
+export function previewDevice(id: PreviewDeviceId): PreviewDevice {
+  return previewDevices.find((d) => d.id === id) ?? previewDevices[0];
+}
+
+/** A device's user-facing text, shared by the toolbar's menu items and the frame caption: the
+ *  label with its width when one is fixed, so the value reaches assistive tech at pick time. */
+export function deviceLabel(d: PreviewDevice): string {
+  return d.width === null ? d.label : `${d.label} · ${d.width} px`;
+}
+
+/**
+ * Build the preview iframe's srcdoc: a complete document linking the site's stylesheets around
+ * the rendered entry html. The html comes from the site's floored render pipeline, which already
+ * stripped scripts and event handlers, so it embeds unescaped; the frame's empty `sandbox` is
+ * belt and braces over that floor. The parameter is the flat `ResolvedPreview` shape `editLoad`
+ * ships, so the per-concept map can never reach the frame document by construction.
+ * `preview` null (a site without the adapter knob) yields a styleless but complete document.
+ */
+export function buildPreviewDoc(html: string, preview: ResolvedPreview | null): string {
+  const links = (preview?.stylesheets ?? [])
+    .map((href) => `<link rel="stylesheet" href="${escapeHtml(href)}">`)
+    .join('\n');
+  const bodyAttrs = preview?.bodyClass ? ` class="${escapeHtml(preview.bodyClass)}"` : '';
+  const content = preview?.containerClass
+    ? `<div class="${escapeHtml(preview.containerClass)}">${html}</div>`
+    : html;
+  // The reset sits BEFORE the site links so the site's CSS wins every collision: it only clears
+  // the default body margin and pins a white ground for sheets that assume one.
+  //
+  // The base tag is what makes links inert. The empty sandbox alone does not: a sandboxed
+  // context may still navigate itself, and a srcdoc document resolves relative hrefs against the
+  // parent's base URL, so a clicked fragment or root link could render the admin login inside
+  // the frame. Targeting every link at a new tab turns each click into a popup, and the sandbox
+  // (which grants no allow-popups) blocks it, so a proofing click goes nowhere.
+  return [
+    '<!doctype html>',
+    '<html>',
+    '<head>',
+    '<meta charset="utf-8">',
+    '<meta name="viewport" content="width=device-width, initial-scale=1">',
+    '<base target="_blank">',
+    '<style>body{margin:0;background:#fff}</style>',
+    links,
+    '</head>',
+    `<body${bodyAttrs}>`,
+    content,
+    '</body>',
+    '</html>',
+  ]
+    .filter((line) => line !== '')
+    .join('\n');
+}

package/src/lib/content/compose.ts

@@ -44,6 +44,7 @@ export function composeRuntime({ adapter, siteConfig, extensions = [] }: Compose
     registry: adapter.registry,
     icons: adapter.icons,
     navMenu: adapter.navMenu,
+    preview: adapter.preview,
     assets: adapter.assets,
     adminPanels,
     fieldTypes,

package/src/lib/content/types.ts

@@ -154,6 +154,33 @@ export interface NavMenuConfig {
   maxDepth?: number;
 }
 
+/**
+ * How the edit page's preview frame reproduces the live site's content styling. The admin
+ * deliberately never loads the site's CSS (chrome isolation), so a design-accurate preview needs
+ * the site to name its stylesheets for the preview frame; without this knob the preview renders
+ * unstyled markup. The frame's srcdoc pins a white body background as a deliberately overridable
+ * default, so a site whose ground is not white should state its body background in its own
+ * stylesheet.
+ */
+export interface PreviewConfig {
+  /** Absolute or root-relative URLs of the site's compiled stylesheets, linked inside the
+   *  preview document. A Vite `?url` import of the site's CSS resolves the hashed asset URL. */
+  stylesheets: string[];
+  /** Class list applied to the preview document's body, for theme or typography roots. */
+  bodyClass?: string;
+  /** Class list for a wrapper element around the rendered content, reproducing the site's
+   *  content container (a prose or measure class). Omitted renders the content bare. */
+  containerClass?: string;
+  /** Per-concept overrides of bodyClass and containerClass, keyed by concept id. An entry's
+   *  preview resolves the override for its concept over the top-level values; stylesheets are
+   *  always shared. */
+  byConcept?: Record<string, { bodyClass?: string; containerClass?: string }>;
+}
+
+/** The flat preview shape `editLoad` ships to the edit page: the top-level `PreviewConfig`
+ *  values with the entry's concept override applied, and no `byConcept` map. */
+export type ResolvedPreview = Omit<PreviewConfig, 'byConcept'>;
+
 /** Reserved asset slot (seam 4). Typed and unused in the rebuild; R7/R9 read it later with no contract change. */
 export interface AssetConfig {
   /** Repo-relative asset roots, e.g. ["static/images"]. */
@@ -187,6 +214,9 @@ export interface CairnAdapter {
   /** The site's glyph name to SVG path-data map, for the admin icon picker and the renderer. */
   icons?: IconSet;
   navMenu?: NavMenuConfig;
+  /** The live site's content styling for the preview frame. The admin's chrome isolation keeps
+   *  the site's CSS out of the admin document, so the preview frame links these instead. */
+  preview?: PreviewConfig;
   assets?: AssetConfig;
 }
 
@@ -285,6 +315,8 @@ export interface CairnRuntime {
   /** The site's glyph name to SVG path-data map, for the admin icon picker and the renderer. */
   icons?: IconSet;
   navMenu?: NavMenuConfig;
+  /** The live site's content styling for the preview frame; passed through from the adapter. */
+  preview?: PreviewConfig;
   assets?: AssetConfig;
   /** Admin panels contributed by extensions (Mode 2). Empty until Plan 09 wires the dispatch route. */
   adminPanels?: AdminPanel[];

package/src/lib/diagnostics/conditions.ts

@@ -101,6 +101,14 @@ export const REGISTRY: Record<string, CairnCondition> = {
 		remediation: "Set csrf: { checkOrigin: false } in svelte.config.js and wire createAuthGuard into src/hooks.server.ts; cairn's guard owns the Origin and double-submit token checks.",
 		docsAnchor: 'cloudflare-readiness.md#hand-cairn-the-csrf-authority',
 	},
+	'config.public-origin-invalid': {
+		id: 'config.public-origin-invalid',
+		severity: 'blocker',
+		title: 'PUBLIC_ORIGIN is missing or invalid',
+		why: 'PUBLIC_ORIGIN is unset, does not parse as a URL, or uses http on a non-local host. The magic-link confirmation links and the absolute feed URLs derive from it, config-only so a forged Host header cannot redirect a link, and sign-in cannot mint a usable link without it.',
+		remediation: "Set PUBLIC_ORIGIN to the site's canonical https origin in the wrangler config vars (with .dev.vars carrying the local http override), then re-deploy; http passes only on localhost or 127.0.0.1.",
+		docsAnchor: 'cloudflare-readiness.md#set-the-public-origin',
+	},
 	'config.site-config-invalid': {
 		id: 'config.site-config-invalid',
 		severity: 'blocker',
@@ -109,6 +117,14 @@ export const REGISTRY: Record<string, CairnCondition> = {
 		remediation: 'Correct site.config.yaml; the parse or validation error names the failing field or URL-policy rule.',
 		docsAnchor: 'cloudflare-readiness.md#validate-the-site-config',
 	},
+	'config.dependency-floors-unmet': {
+		id: 'config.dependency-floors-unmet',
+		severity: 'blocker',
+		title: 'A framework dependency sits below the engine floor',
+		why: 'The lockfile resolves svelte or @sveltejs/kit below the range the engine declares as a peer. Consumer sites compile the shipped .svelte sources, so a below-floor compiler bites silently at build time; svelte 5.56.1 miscompiles parenthesized boolean groupings, which is why the svelte floor is ^5.56.3.',
+		remediation: "Raise the devDependency range in the site's package.json to the engine peer range and reinstall so the lockfile re-resolves, for example `npm install --save-dev svelte@^5.56.3`.",
+		docsAnchor: 'cloudflare-readiness.md#meet-the-dependency-floors',
+	},
 	'edge.hsts-off': {
 		id: 'edge.hsts-off',
 		severity: 'warning',
@@ -134,6 +150,14 @@ export const REGISTRY: Record<string, CairnCondition> = {
 		docsAnchor: 'cloudflare-readiness.md#install-the-github-app',
 		logEvent: 'github.unreachable',
 	},
+	'admin.login-probe-failed': {
+		id: 'admin.login-probe-failed',
+		severity: 'blocker',
+		title: 'Live admin login probe failed',
+		why: 'A live request to the deployed admin did not answer with the working sign-in envelope (the login page, its CSRF cookie and hidden field, and the request action), so a real editor cannot sign in either. A probe failure has many possible causes; the detail line names the assertion that failed.',
+		remediation: 'Read the failed assertion in the detail line, run the full doctor against the same site, and work through the deploy guide; the other checks narrow the cause.',
+		docsAnchor: 'cloudflare-readiness.md#probe-the-deployed-admin',
+	},
 };
 
 // The registry is shared identity, never working state; freeze every entry and the map itself.

package/src/lib/doctor/bin.ts

@@ -7,8 +7,17 @@
 // before the process ends.
 import { readFile } from 'node:fs/promises';
 import { resolve } from 'node:path';
+import { liveProbeCheck } from './check-probe.js';
 import { liveSendCheck } from './check-send.js';
-import { contextFromEnv, defaultChecks, formatReport, parseArgs, runDoctor } from './index.js';
+import { readWranglerConfig } from './wrangler-config.js';
+import {
+	contextFromEnv,
+	defaultChecks,
+	deriveMissingInputs,
+	formatReport,
+	parseArgs,
+	runDoctor,
+} from './index.js';
 
 async function main(): Promise<void> {
 	let args: ReturnType<typeof parseArgs>;
@@ -21,21 +30,37 @@ async function main(): Promise<void> {
 	}
 
 	const cwd = process.cwd();
+	const readFileUnderCwd = async (relPath: string): Promise<string | null> => {
+		try {
+			return await readFile(resolve(cwd, relPath), 'utf8');
+		} catch (err) {
+			if ((err as NodeJS.ErrnoException).code === 'ENOENT') return null;
+			throw err;
+		}
+	};
+	// Fill inputs the flags and env left missing from the repo itself: from and repo off the
+	// adapter (through the vite arm, which exists only on this bin path, never in a Worker)
+	// and the account id off the wrangler config. The API token stays env-only.
+	const derived = await deriveMissingInputs(contextFromEnv(process.env, args, cwd), {
+		adapterFacts: async () => {
+			const { readAdapterFacts } = await import('../vite/index.js');
+			return readAdapterFacts(cwd);
+		},
+		wranglerAccountId: async () => (await readWranglerConfig(readFileUnderCwd))?.accountId,
+	});
 	const ctx = {
-		...contextFromEnv(process.env, args, cwd),
+		...derived,
 		fetch: globalThis.fetch,
-		readFile: async (relPath: string): Promise<string | null> => {
-			try {
-				return await readFile(resolve(cwd, relPath), 'utf8');
-			} catch (err) {
-				if ((err as NodeJS.ErrnoException).code === 'ENOENT') return null;
-				throw err;
-			}
-		},
+		readFile: readFileUnderCwd,
 	};
 
 	const checks = defaultChecks();
 	if (args.sendTest) checks.push(liveSendCheck(args.sendTest));
+	// The probe is an opt-in network POST against a live site, so it joins only on --probe;
+	// the bare flag hands the URL resolution (the PUBLIC_ORIGIN input) to the check itself.
+	if (args.probe !== undefined) {
+		checks.push(liveProbeCheck(args.probe === true ? undefined : args.probe));
+	}
 
 	const { results, failed } = await runDoctor(checks, ctx);
 	console.log(formatReport(results));

package/src/lib/doctor/check-floors.ts

@@ -0,0 +1,124 @@
+// The dependency-floors check. The engine's peer ranges have teeth only when something reads
+// the consumer's lockfile, where a transitively pinned svelte can sit below the floor while
+// package.json looks fine (the ecxc retrofit shipped svelte 5.56.0 that way). The check compares
+// the resolved svelte and @sveltejs/kit versions in package-lock.json against the peer ranges
+// the installed @glw907/cairn-cms declares, read at runtime so the floors live in one place.
+import { createRequire } from 'node:module';
+import { fail, pass, skip } from './types.js';
+import type { CheckResult, DoctorCheck, DoctorContext } from './types.js';
+
+interface Version {
+	major: number;
+	minor: number;
+	patch: number;
+}
+
+// Plain x.y.z only. A prerelease or build tag returns null, so the check skips rather than
+// guessing how a tagged build orders against the floor.
+function parseVersion(text: string): Version | null {
+	const m = text.match(/^(\d+)\.(\d+)\.(\d+)$/);
+	if (!m) return null;
+	return { major: Number(m[1]), minor: Number(m[2]), patch: Number(m[3]) };
+}
+
+// The engine's peers are simple caret ranges (^x.y.z, or ^x.y like the kit floor ^2.12), so
+// this handles the caret form only; anything else returns null and the check skips for that
+// dependency instead of approximating a full semver implementation.
+function caretFloor(range: string): Version | null {
+	const m = range.match(/^\^(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+	if (!m) return null;
+	return { major: Number(m[1]), minor: Number(m[2] ?? 0), patch: Number(m[3] ?? 0) };
+}
+
+function compareVersions(a: Version, b: Version): number {
+	return a.major - b.major || a.minor - b.minor || a.patch - b.patch;
+}
+
+// A v2/v3 lockfile's packages map; v1 has none and the check skips.
+interface LockPackages {
+	packages?: Record<string, { version?: unknown } | undefined>;
+}
+
+function lockedVersion(lock: LockPackages, dep: string): string | undefined {
+	const version = lock.packages?.[`node_modules/${dep}`]?.version;
+	return typeof version === 'string' ? version : undefined;
+}
+
+/**
+ * Judge a lockfile's resolved framework versions against the engine's peer ranges. Pure, so the
+ * tests drive it table-style; the check object wires in the real lockfile and the real peers.
+ * A below-range version fails; a lockfile or entry the check cannot read skips, since a pnpm or
+ * yarn consumer carries no package-lock.json at all.
+ */
+export function dependencyFloorsResult(
+	lockText: string | null,
+	peers: Record<string, string>
+): CheckResult {
+	if (lockText === null) {
+		return skip('no package-lock.json found (a pnpm or yarn lockfile is not read)');
+	}
+	let lock: LockPackages;
+	try {
+		lock = JSON.parse(lockText) as LockPackages;
+	} catch {
+		// Like the wrangler reader: never echo file content into the report.
+		return fail('package-lock.json did not parse');
+	}
+	if (lock.packages === undefined) {
+		return skip('package-lock.json carries no packages map (lockfile v1; reinstall with a current npm)');
+	}
+	const failures: string[] = [];
+	const skips: string[] = [];
+	const passes: string[] = [];
+	for (const [dep, range] of Object.entries(peers)) {
+		const floor = caretFloor(range);
+		if (floor === null) {
+			skips.push(`${dep}: the engine range ${range} is not a simple caret range`);
+			continue;
+		}
+		const resolved = lockedVersion(lock, dep);
+		if (resolved === undefined) {
+			skips.push(`${dep}: no node_modules/${dep} entry in package-lock.json`);
+			continue;
+		}
+		const version = parseVersion(resolved);
+		if (version === null) {
+			skips.push(`${dep}: resolved ${resolved} is not a plain x.y.z version`);
+			continue;
+		}
+		// The caret bounds both ends: at or above the floor, same major. The engine's peers
+		// start at major 1 or higher, so the 0.x caret nuance never applies here.
+		if (compareVersions(version, floor) < 0) {
+			failures.push(`${dep} resolves to ${resolved}, below the engine floor ${range}`);
+		} else if (version.major !== floor.major) {
+			failures.push(`${dep} resolves to ${resolved}, outside the engine peer range ${range}`);
+		} else {
+			passes.push(`${dep} ${resolved}`);
+		}
+	}
+	if (failures.length > 0) return fail(failures.join('; '));
+	if (skips.length > 0) return skip(skips.join('; '));
+	return pass(`${passes.join(' and ')} satisfy the engine peer ranges`);
+}
+
+/**
+ * The engine's own declared peer ranges, read from the installed package.json at runtime so the
+ * floors are declared exactly once. The self-reference resolves through the consumer's
+ * node_modules in a real install and through the repo root during development.
+ */
+export function readEnginePeers(): Record<string, string> {
+	const require = createRequire(import.meta.url);
+	const pkg = require('@glw907/cairn-cms/package.json') as {
+		peerDependencies?: Record<string, string>;
+	};
+	return pkg.peerDependencies ?? {};
+}
+
+export const configDependencyFloors: DoctorCheck = {
+	id: 'config.dependency-floors',
+	conditionId: 'config.dependency-floors-unmet',
+	title: 'Dependency floors',
+	async run(ctx: DoctorContext): Promise<CheckResult> {
+		return dependencyFloorsResult(await ctx.readFile('package-lock.json'), readEnginePeers());
+	},
+};

package/src/lib/doctor/check-probe.ts

@@ -0,0 +1,138 @@
+// The doctor's opt-in live probe (--probe): one GET and one POST against a deployed admin,
+// asserting the envelope a working sign-in presents. Zero side effects by construction: the
+// POST submits a random non-editor address, and the engine's non-leak design answers a
+// non-editor with the identical sent body while sending no email and minting no token, so the
+// probe leaves nothing behind on the site. A factory rather than a check constant, the same
+// shape as the live send: the check exists only when the bin receives --probe.
+import { fail, pass, skip } from './types.js';
+import type { CheckResult, DoctorCheck, DoctorContext } from './types.js';
+import { csrfCookieName } from '../auth/crypto.js';
+import { readWranglerConfig } from './wrangler-config.js';
+
+const NO_URL: CheckResult = skip(
+	'pass --probe <url>, set PUBLIC_ORIGIN in the wrangler vars, or set PUBLIC_ORIGIN in the environment'
+);
+
+/** Build the live-probe check. A missing url falls back to the PUBLIC_ORIGIN input at run time. */
+export function liveProbeCheck(url?: string): DoctorCheck {
+	return {
+		id: 'admin.login-probe',
+		conditionId: 'admin.login-probe-failed',
+		title: 'Live admin login probe',
+		async run(ctx: DoctorContext): Promise<CheckResult> {
+			// The wrangler vars hold the value the deployed Worker reads, so they beat the local
+			// environment, the same precedence the public-origin check applies.
+			const base =
+				url ?? (await readWranglerConfig(ctx.readFile))?.publicOrigin ?? ctx.publicOrigin;
+			if (base === undefined) return NO_URL;
+			let origin: URL;
+			try {
+				origin = new URL(base);
+			} catch {
+				return fail(`probe URL does not parse: ${base}`);
+			}
+			try {
+				return await probe(ctx, origin);
+			} catch (err) {
+				return fail(String(err));
+			}
+		},
+	};
+}
+
+/** GET /admin/login and assert the sign-in envelope, then hand the harvested token pair on. */
+async function probe(ctx: DoctorContext, origin: URL): Promise<CheckResult> {
+	const res = await ctx.fetch(String(new URL('/admin/login', origin)));
+	if (res.status !== 200) {
+		return fail(`GET /admin/login returned ${res.status}, expected 200`);
+	}
+	const cookieName = csrfCookieName(origin.protocol === 'https:');
+	const cookieValue = setCookieValue(res.headers.getSetCookie(), cookieName);
+	if (cookieValue === undefined) {
+		return fail(`GET /admin/login set no ${cookieName} cookie`);
+	}
+	const html = await res.text();
+	const field = csrfFieldValue(html);
+	if (field === undefined) {
+		return fail('the login page carries no name="csrf" hidden field with a value');
+	}
+	if (!/<form[^>]*action="[^"]*\?\/request"/.test(html)) {
+		return fail('the login page carries no form posting the ?/request action');
+	}
+	return postRequestAction(ctx, origin, `${cookieName}=${cookieValue}`, field);
+}
+
+/** The named cookie's value from the Set-Cookie lines, or undefined when no line names it. */
+function setCookieValue(lines: string[], name: string): string | undefined {
+	for (const line of lines) {
+		const eq = line.indexOf('=');
+		if (eq === -1 || line.slice(0, eq).trim() !== name) continue;
+		const rest = line.slice(eq + 1);
+		const semi = rest.indexOf(';');
+		return semi === -1 ? rest : rest.slice(0, semi);
+	}
+	return undefined;
+}
+
+/** The csrf hidden field's value, tolerant of attribute order, or undefined when absent or empty. */
+function csrfFieldValue(html: string): string | undefined {
+	const input = (html.match(/<input[^>]*>/g) ?? []).find((tag) => /name="csrf"/.test(tag));
+	if (input === undefined) return undefined;
+	return /value="([^"]+)"/.exec(input)?.[1];
+}
+
+/**
+ * POST the request action and read its serialized result. The address is random and non-editor
+ * at the reserved example.invalid domain, so even a delivery bug could send nothing anywhere,
+ * and the engine's non-leak design makes the response indistinguishable from a real send.
+ */
+async function postRequestAction(
+	ctx: DoctorContext,
+	origin: URL,
+	cookie: string,
+	csrf: string
+): Promise<CheckResult> {
+	const email = `cairn-doctor-probe-${Math.random().toString(36).slice(2, 10)}@example.invalid`;
+	const res = await ctx.fetch(String(new URL('/admin/login?/request', origin)), {
+		method: 'POST',
+		headers: {
+			'content-type': 'application/x-www-form-urlencoded',
+			cookie,
+		},
+		body: new URLSearchParams({ email, csrf }).toString(),
+	});
+	if (res.status !== 200) {
+		return fail(`POST ?/request returned ${res.status}, expected 200`);
+	}
+	// A no-Accept action POST answers with SvelteKit's serialized form-action JSON, shaped
+	// {"type":"success","status":200,"data":"<devalue array string>"}. The data field is a
+	// devalue encoding the probe reads by containment for the status literals, tolerant of
+	// encoding details it does not own, instead of pulling in a devalue parser.
+	let envelope: { type?: unknown; data?: unknown };
+	try {
+		envelope = (await res.json()) as { type?: unknown; data?: unknown };
+	} catch {
+		return fail('POST ?/request did not answer with the serialized action JSON');
+	}
+	if (envelope.type !== 'success') {
+		return fail(`POST ?/request answered type ${String(envelope.type)}, expected success`);
+	}
+	const data = typeof envelope.data === 'string' ? envelope.data : '';
+	if (data.includes('"send_error"')) {
+		return fail(
+			'the request action answered send_error; the magic-link send path is failing (see the email checks and the auth.link.send_failed log records)'
+		);
+	}
+	// Every payload carries the "sent" field name, so the distinct status spellings go first.
+	if (data.includes('"throttled"')) {
+		return pass(
+			`sign-in envelope verified at ${origin.origin}; the request action answered throttled (a real cooldown window is active), which still proves the path`
+		);
+	}
+	if (data.includes('"sent"')) {
+		return pass(
+			`sign-in envelope verified at ${origin.origin}; the request action answered sent for a non-editor probe address`
+		);
+	}
+	return fail('POST ?/request answered success with an unrecognized payload');
+}