@glw907/cairn-cms 0.50.0 → 0.52.0

package/dist/components/fonts/iAWriterMono-OFL.txt

@@ -0,0 +1,100 @@
+# iA Writer Typeface
+
+Copyright © 2018 Information Architects Inc. with Reserved Font Name "iA Writer"
+
+# Based on IBM Plex Typeface
+
+Copyright © 2017 IBM Corp. with Reserved Font Name "Plex"
+
+# License
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+This license is copied below, and is also available with a FAQ at:
+http://scripts.sil.org/OFL
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded,
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.

package/dist/components/markdown-directives.d.ts

@@ -1,5 +1,56 @@
 /** Classify a whole line as a container fence, a leaf directive, or neither. */
 export declare function directiveLineKind(line: string): 'fence' | 'leaf' | null;
+/** One pass over the document: each line's container depth alongside its fence role. */
+export interface FenceScan {
+    /** The 1-based container depth per line, or null outside any container. */
+    depths: (number | null)[];
+    /** Whether a line opened or closed a container, or null for everything else. A fence-shaped
+     *  line the code-block tracking disowned is null too, so the role array is the one source of
+     *  truth for pairing and no caller re-parses a line the scan already judged. */
+    roles: ('opener' | 'closer' | null)[];
+}
+/**
+ * Scan the document's container structure in one pass. A named fence opens a container; a bare
+ * fence closes the most recent one (colon counts are not trusted for pairing, since authors
+ * vary them). An opener and its closer share the opener's depth, and a line between them
+ * carries the depth of its innermost container. Lines inside a fenced code block are plain
+ * content, so a documented ::: example cannot open a phantom container running to end of
+ * document. Author errors are tolerated: an unmatched closer reads as depth 1 and the count
+ * never goes below zero.
+ */
+export declare function fenceScan(lines: string[]): FenceScan;
+/** The depth half of {@link fenceScan}, for callers that need no roles. */
+export declare function fenceDepths(lines: string[]): (number | null)[];
+/** The inclusive line span of one directive container. */
+export interface ContainerRange {
+    fromLine: number;
+    toLine: number;
+    depth: number;
+}
+/**
+ * The innermost container around a caret line, as an inclusive line range, or null outside any
+ * container. Works from the cached scan without re-parsing: the caret line's own depth names
+ * the container (fence rows carry the depth they delimit, so a caret on a fence belongs to
+ * that fence's container), and within a container the only same-depth real fences are its
+ * opener and closer (nested containers sit deeper, siblings sit outside), so the nearest
+ * opener above and the nearest closer below bound the range. The scan's roles already disown a
+ * fence-shaped line inside a code block, so a documented example can never clip the range. An
+ * unclosed container runs to the document end.
+ */
+export declare function caretContainerRange(scan: FenceScan, caretLine: number): ContainerRange | null;
+/** One span of a fence line, in line-local offsets: machinery (`mark`) or meaning (`label`). */
+export interface FenceToken {
+    from: number;
+    to: number;
+    kind: 'mark' | 'label';
+}
+/**
+ * Split a fence line into machinery and meaning. The colon run, the label's brackets, and the
+ * whole {attrs} group are machinery; the directive name and the label text are meaning, the
+ * parts an editor reads. A bare closer is a single machinery span, and a non-fence line yields
+ * no spans at all.
+ */
+export declare function fenceTokens(line: string): FenceToken[];
 /** Inline directive ranges (`:name[...]{...}`) within a line of text. */
 export declare function findInlineDirectives(text: string): {
     from: number;

package/dist/components/markdown-directives.js

@@ -1,9 +1,19 @@
 // Remark-directive detection for the editor's machinery highlighting (spec: directive syntax is
 // styled distinctly so an editor can tell component scaffolding from prose). Pure functions; the
 // CodeMirror decoration plugin wraps them.
-const FENCE = /^\s{0,3}:::+\s*[\w-]*\s*(\{[^}]*\})?\s*$/;
+// A container fence: three or more colons, then an optional name, an optional [label], and
+// optional {attrs}, in remark-directive order. The name is captured so the depth scan below can
+// tell an opener (named) from a closer (bare colons), and the d flag records each group's span
+// so fenceTokens can split the line without re-parsing. Matching is tolerant of stray
+// whitespace, the same posture as the leaf form: a slightly off fence should still read as
+// machinery.
+const FENCE = /^\s{0,3}(:{3,})\s*([\w-]*)\s*(\[[^\]]*\])?\s*(\{[^}]*\})?\s*$/d;
 const LEAF = /^\s{0,3}::[\w-]+(\[[^\]]*\])?(\{[^}]*\})?\s*$/;
 const INLINE = /(?<![:\w]):[\w-]+\[[^\]]*\](\{[^}]*\})?/g;
+// A fenced code block's delimiter: three or more backticks or tildes, indent-tolerant like the
+// directive forms. The depth scan tracks these so a documented ::: example inside a code block
+// never opens a real container.
+const CODE_FENCE = /^\s{0,3}(`{3,}|~{3,})/;
 /** Classify a whole line as a container fence, a leaf directive, or neither. */
 export function directiveLineKind(line) {
     if (FENCE.test(line))
@@ -12,6 +22,125 @@ export function directiveLineKind(line) {
         return 'leaf';
     return null;
 }
+/**
+ * Scan the document's container structure in one pass. A named fence opens a container; a bare
+ * fence closes the most recent one (colon counts are not trusted for pairing, since authors
+ * vary them). An opener and its closer share the opener's depth, and a line between them
+ * carries the depth of its innermost container. Lines inside a fenced code block are plain
+ * content, so a documented ::: example cannot open a phantom container running to end of
+ * document. Author errors are tolerated: an unmatched closer reads as depth 1 and the count
+ * never goes below zero.
+ */
+export function fenceScan(lines) {
+    const depths = [];
+    const roles = [];
+    let open = 0;
+    // The marker character that opened the current code block, or null outside one. Only a line
+    // opening with the same character closes it, so tildes inside a backtick block stay literal.
+    let codeMarker = null;
+    for (const line of lines) {
+        const code = CODE_FENCE.exec(line);
+        if (code) {
+            if (codeMarker === null)
+                codeMarker = code[1][0];
+            else if (code[1][0] === codeMarker)
+                codeMarker = null;
+            depths.push(open > 0 ? open : null);
+            roles.push(null);
+            continue;
+        }
+        if (codeMarker !== null) {
+            depths.push(open > 0 ? open : null);
+            roles.push(null);
+            continue;
+        }
+        const fence = FENCE.exec(line);
+        if (!fence) {
+            depths.push(open > 0 ? open : null);
+            roles.push(null);
+        }
+        else if (fence[2]) {
+            open += 1;
+            depths.push(open);
+            roles.push('opener');
+        }
+        else {
+            depths.push(Math.max(open, 1));
+            roles.push('closer');
+            if (open > 0)
+                open -= 1;
+        }
+    }
+    return { depths, roles };
+}
+/** The depth half of {@link fenceScan}, for callers that need no roles. */
+export function fenceDepths(lines) {
+    return fenceScan(lines).depths;
+}
+/**
+ * The innermost container around a caret line, as an inclusive line range, or null outside any
+ * container. Works from the cached scan without re-parsing: the caret line's own depth names
+ * the container (fence rows carry the depth they delimit, so a caret on a fence belongs to
+ * that fence's container), and within a container the only same-depth real fences are its
+ * opener and closer (nested containers sit deeper, siblings sit outside), so the nearest
+ * opener above and the nearest closer below bound the range. The scan's roles already disown a
+ * fence-shaped line inside a code block, so a documented example can never clip the range. An
+ * unclosed container runs to the document end.
+ */
+export function caretContainerRange(scan, caretLine) {
+    const { depths, roles } = scan;
+    const depth = depths[caretLine] ?? null;
+    if (depth === null)
+        return null;
+    let fromLine = caretLine;
+    for (let i = caretLine; i >= 0; i--) {
+        if (depths[i] === depth && roles[i] === 'opener') {
+            fromLine = i;
+            break;
+        }
+    }
+    let toLine = depths.length - 1;
+    for (let i = caretLine; i < depths.length; i++) {
+        if (depths[i] === depth && roles[i] === 'closer') {
+            toLine = i;
+            break;
+        }
+    }
+    return { fromLine, toLine, depth };
+}
+/**
+ * Split a fence line into machinery and meaning. The colon run, the label's brackets, and the
+ * whole {attrs} group are machinery; the directive name and the label text are meaning, the
+ * parts an editor reads. A bare closer is a single machinery span, and a non-fence line yields
+ * no spans at all.
+ */
+export function fenceTokens(line) {
+    const m = FENCE.exec(line);
+    if (!m?.indices)
+        return [];
+    // A group's span exists whenever the group matched: group 1 (the colons) always does on a
+    // fence, and the optional groups are read only behind their own m[n] guard.
+    const indices = m.indices;
+    const out = [];
+    const [colonFrom, colonTo] = indices[1];
+    out.push({ from: colonFrom, to: colonTo, kind: 'mark' });
+    if (m[2]) {
+        const [from, to] = indices[2];
+        out.push({ from, to, kind: 'label' });
+    }
+    if (m[3]) {
+        const [from, to] = indices[3];
+        out.push({ from, to: from + 1, kind: 'mark' });
+        if (to - from > 2)
+            out.push({ from: from + 1, to: to - 1, kind: 'label' });
+        out.push({ from: to - 1, to, kind: 'mark' });
+    }
+    if (m[4]) {
+        const [from, to] = indices[4];
+        out.push({ from, to, kind: 'mark' });
+    }
+    return out;
+}
 /** Inline directive ranges (`:name[...]{...}`) within a line of text. */
 export function findInlineDirectives(text) {
     const out = [];

package/dist/components/preview-doc.d.ts

@@ -0,0 +1,27 @@
+import type { ResolvedPreview } from '../content/types.js';
+/** One width the preview frame can take. */
+export interface PreviewDevice {
+    id: 'desktop' | 'tablet' | 'phone' | 'small';
+    /** The device menu label, also the frame caption's first half. */
+    label: string;
+    /** Frame width in CSS pixels; null fills the pane (Desktop). */
+    width: number | null;
+}
+/** A preview device's id, the value the page persists. */
+export type PreviewDeviceId = PreviewDevice['id'];
+/** The four widths the device menu offers, in menu order. Desktop leads as the default. */
+export declare const previewDevices: PreviewDevice[];
+/** The table row for a device id. The id type makes a miss impossible; the fallback satisfies find. */
+export declare function previewDevice(id: PreviewDeviceId): PreviewDevice;
+/** A device's user-facing text, shared by the toolbar's menu items and the frame caption: the
+ *  label with its width when one is fixed, so the value reaches assistive tech at pick time. */
+export declare function deviceLabel(d: PreviewDevice): string;
+/**
+ * Build the preview iframe's srcdoc: a complete document linking the site's stylesheets around
+ * the rendered entry html. The html comes from the site's floored render pipeline, which already
+ * stripped scripts and event handlers, so it embeds unescaped; the frame's empty `sandbox` is
+ * belt and braces over that floor. The parameter is the flat `ResolvedPreview` shape `editLoad`
+ * ships, so the per-concept map can never reach the frame document by construction.
+ * `preview` null (a site without the adapter knob) yields a styleless but complete document.
+ */
+export declare function buildPreviewDoc(html: string, preview: ResolvedPreview | null): string;

package/dist/components/preview-doc.js

@@ -0,0 +1,64 @@
+// cairn-cms: the edit page's preview-frame document. The admin's chrome isolation keeps the
+// site's CSS out of the admin document, so EditPage renders the preview inside a sandboxed
+// iframe whose document links the site's own stylesheets from the adapter's preview knob. This
+// module builds that iframe's srcdoc as one pure string, so its shape is unit-testable, and it
+// carries the device table the frame's width control offers.
+import { escapeHtml } from '../escape.js';
+/** The four widths the device menu offers, in menu order. Desktop leads as the default. */
+export const previewDevices = [
+    { id: 'desktop', label: 'Desktop', width: null },
+    { id: 'tablet', label: 'Tablet', width: 768 },
+    { id: 'phone', label: 'Phone', width: 390 },
+    { id: 'small', label: 'Small phone', width: 320 },
+];
+/** The table row for a device id. The id type makes a miss impossible; the fallback satisfies find. */
+export function previewDevice(id) {
+    return previewDevices.find((d) => d.id === id) ?? previewDevices[0];
+}
+/** A device's user-facing text, shared by the toolbar's menu items and the frame caption: the
+ *  label with its width when one is fixed, so the value reaches assistive tech at pick time. */
+export function deviceLabel(d) {
+    return d.width === null ? d.label : `${d.label} · ${d.width} px`;
+}
+/**
+ * Build the preview iframe's srcdoc: a complete document linking the site's stylesheets around
+ * the rendered entry html. The html comes from the site's floored render pipeline, which already
+ * stripped scripts and event handlers, so it embeds unescaped; the frame's empty `sandbox` is
+ * belt and braces over that floor. The parameter is the flat `ResolvedPreview` shape `editLoad`
+ * ships, so the per-concept map can never reach the frame document by construction.
+ * `preview` null (a site without the adapter knob) yields a styleless but complete document.
+ */
+export function buildPreviewDoc(html, preview) {
+    const links = (preview?.stylesheets ?? [])
+        .map((href) => `<link rel="stylesheet" href="${escapeHtml(href)}">`)
+        .join('\n');
+    const bodyAttrs = preview?.bodyClass ? ` class="${escapeHtml(preview.bodyClass)}"` : '';
+    const content = preview?.containerClass
+        ? `<div class="${escapeHtml(preview.containerClass)}">${html}</div>`
+        : html;
+    // The reset sits BEFORE the site links so the site's CSS wins every collision: it only clears
+    // the default body margin and pins a white ground for sheets that assume one.
+    //
+    // The base tag is what makes links inert. The empty sandbox alone does not: a sandboxed
+    // context may still navigate itself, and a srcdoc document resolves relative hrefs against the
+    // parent's base URL, so a clicked fragment or root link could render the admin login inside
+    // the frame. Targeting every link at a new tab turns each click into a popup, and the sandbox
+    // (which grants no allow-popups) blocks it, so a proofing click goes nowhere.
+    return [
+        '<!doctype html>',
+        '<html>',
+        '<head>',
+        '<meta charset="utf-8">',
+        '<meta name="viewport" content="width=device-width, initial-scale=1">',
+        '<base target="_blank">',
+        '<style>body{margin:0;background:#fff}</style>',
+        links,
+        '</head>',
+        `<body${bodyAttrs}>`,
+        content,
+        '</body>',
+        '</html>',
+    ]
+        .filter((line) => line !== '')
+        .join('\n');
+}

package/dist/content/compose.js

@@ -31,6 +31,7 @@ export function composeRuntime({ adapter, siteConfig, extensions = [] }) {
         registry: adapter.registry,
         icons: adapter.icons,
         navMenu: adapter.navMenu,
+        preview: adapter.preview,
         assets: adapter.assets,
         adminPanels,
         fieldTypes,

package/dist/content/types.d.ts

@@ -133,6 +133,34 @@ export interface NavMenuConfig {
     /** Max nesting depth allowed in the editor; defaults to 2. */
     maxDepth?: number;
 }
+/**
+ * How the edit page's preview frame reproduces the live site's content styling. The admin
+ * deliberately never loads the site's CSS (chrome isolation), so a design-accurate preview needs
+ * the site to name its stylesheets for the preview frame; without this knob the preview renders
+ * unstyled markup. The frame's srcdoc pins a white body background as a deliberately overridable
+ * default, so a site whose ground is not white should state its body background in its own
+ * stylesheet.
+ */
+export interface PreviewConfig {
+    /** Absolute or root-relative URLs of the site's compiled stylesheets, linked inside the
+     *  preview document. A Vite `?url` import of the site's CSS resolves the hashed asset URL. */
+    stylesheets: string[];
+    /** Class list applied to the preview document's body, for theme or typography roots. */
+    bodyClass?: string;
+    /** Class list for a wrapper element around the rendered content, reproducing the site's
+     *  content container (a prose or measure class). Omitted renders the content bare. */
+    containerClass?: string;
+    /** Per-concept overrides of bodyClass and containerClass, keyed by concept id. An entry's
+     *  preview resolves the override for its concept over the top-level values; stylesheets are
+     *  always shared. */
+    byConcept?: Record<string, {
+        bodyClass?: string;
+        containerClass?: string;
+    }>;
+}
+/** The flat preview shape `editLoad` ships to the edit page: the top-level `PreviewConfig`
+ *  values with the entry's concept override applied, and no `byConcept` map. */
+export type ResolvedPreview = Omit<PreviewConfig, 'byConcept'>;
 /** Reserved asset slot (seam 4). Typed and unused in the rebuild; R7/R9 read it later with no contract change. */
 export interface AssetConfig {
     /** Repo-relative asset roots, e.g. ["static/images"]. */
@@ -168,6 +196,9 @@ export interface CairnAdapter {
     /** The site's glyph name to SVG path-data map, for the admin icon picker and the renderer. */
     icons?: IconSet;
     navMenu?: NavMenuConfig;
+    /** The live site's content styling for the preview frame. The admin's chrome isolation keeps
+     *  the site's CSS out of the admin document, so the preview frame links these instead. */
+    preview?: PreviewConfig;
     assets?: AssetConfig;
 }
 /**
@@ -263,6 +294,8 @@ export interface CairnRuntime {
     /** The site's glyph name to SVG path-data map, for the admin icon picker and the renderer. */
     icons?: IconSet;
     navMenu?: NavMenuConfig;
+    /** The live site's content styling for the preview frame; passed through from the adapter. */
+    preview?: PreviewConfig;
     assets?: AssetConfig;
     /** Admin panels contributed by extensions (Mode 2). Empty until Plan 09 wires the dispatch route. */
     adminPanels?: AdminPanel[];

package/dist/diagnostics/conditions.js

@@ -69,6 +69,14 @@ export const REGISTRY = {
         remediation: "Set csrf: { checkOrigin: false } in svelte.config.js and wire createAuthGuard into src/hooks.server.ts; cairn's guard owns the Origin and double-submit token checks.",
         docsAnchor: 'cloudflare-readiness.md#hand-cairn-the-csrf-authority',
     },
+    'config.public-origin-invalid': {
+        id: 'config.public-origin-invalid',
+        severity: 'blocker',
+        title: 'PUBLIC_ORIGIN is missing or invalid',
+        why: 'PUBLIC_ORIGIN is unset, does not parse as a URL, or uses http on a non-local host. The magic-link confirmation links and the absolute feed URLs derive from it, config-only so a forged Host header cannot redirect a link, and sign-in cannot mint a usable link without it.',
+        remediation: "Set PUBLIC_ORIGIN to the site's canonical https origin in the wrangler config vars (with .dev.vars carrying the local http override), then re-deploy; http passes only on localhost or 127.0.0.1.",
+        docsAnchor: 'cloudflare-readiness.md#set-the-public-origin',
+    },
     'config.site-config-invalid': {
         id: 'config.site-config-invalid',
         severity: 'blocker',
@@ -77,6 +85,14 @@ export const REGISTRY = {
         remediation: 'Correct site.config.yaml; the parse or validation error names the failing field or URL-policy rule.',
         docsAnchor: 'cloudflare-readiness.md#validate-the-site-config',
     },
+    'config.dependency-floors-unmet': {
+        id: 'config.dependency-floors-unmet',
+        severity: 'blocker',
+        title: 'A framework dependency sits below the engine floor',
+        why: 'The lockfile resolves svelte or @sveltejs/kit below the range the engine declares as a peer. Consumer sites compile the shipped .svelte sources, so a below-floor compiler bites silently at build time; svelte 5.56.1 miscompiles parenthesized boolean groupings, which is why the svelte floor is ^5.56.3.',
+        remediation: "Raise the devDependency range in the site's package.json to the engine peer range and reinstall so the lockfile re-resolves, for example `npm install --save-dev svelte@^5.56.3`.",
+        docsAnchor: 'cloudflare-readiness.md#meet-the-dependency-floors',
+    },
     'edge.hsts-off': {
         id: 'edge.hsts-off',
         severity: 'warning',
@@ -102,6 +118,14 @@ export const REGISTRY = {
         docsAnchor: 'cloudflare-readiness.md#install-the-github-app',
         logEvent: 'github.unreachable',
     },
+    'admin.login-probe-failed': {
+        id: 'admin.login-probe-failed',
+        severity: 'blocker',
+        title: 'Live admin login probe failed',
+        why: 'A live request to the deployed admin did not answer with the working sign-in envelope (the login page, its CSRF cookie and hidden field, and the request action), so a real editor cannot sign in either. A probe failure has many possible causes; the detail line names the assertion that failed.',
+        remediation: 'Read the failed assertion in the detail line, run the full doctor against the same site, and work through the deploy guide; the other checks narrow the cause.',
+        docsAnchor: 'cloudflare-readiness.md#probe-the-deployed-admin',
+    },
 };
 // The registry is shared identity, never working state; freeze every entry and the map itself.
 for (const entry of Object.values(REGISTRY))

package/dist/doctor/bin.js

@@ -7,8 +7,10 @@
 // before the process ends.
 import { readFile } from 'node:fs/promises';
 import { resolve } from 'node:path';
+import { liveProbeCheck } from './check-probe.js';
 import { liveSendCheck } from './check-send.js';
-import { contextFromEnv, defaultChecks, formatReport, parseArgs, runDoctor } from './index.js';
+import { readWranglerConfig } from './wrangler-config.js';
+import { contextFromEnv, defaultChecks, deriveMissingInputs, formatReport, parseArgs, runDoctor, } from './index.js';
 async function main() {
     let args;
     try {
@@ -20,23 +22,39 @@ async function main() {
         return;
     }
     const cwd = process.cwd();
+    const readFileUnderCwd = async (relPath) => {
+        try {
+            return await readFile(resolve(cwd, relPath), 'utf8');
+        }
+        catch (err) {
+            if (err.code === 'ENOENT')
+                return null;
+            throw err;
+        }
+    };
+    // Fill inputs the flags and env left missing from the repo itself: from and repo off the
+    // adapter (through the vite arm, which exists only on this bin path, never in a Worker)
+    // and the account id off the wrangler config. The API token stays env-only.
+    const derived = await deriveMissingInputs(contextFromEnv(process.env, args, cwd), {
+        adapterFacts: async () => {
+            const { readAdapterFacts } = await import('../vite/index.js');
+            return readAdapterFacts(cwd);
+        },
+        wranglerAccountId: async () => (await readWranglerConfig(readFileUnderCwd))?.accountId,
+    });
     const ctx = {
-        ...contextFromEnv(process.env, args, cwd),
+        ...derived,
         fetch: globalThis.fetch,
-        readFile: async (relPath) => {
-            try {
-                return await readFile(resolve(cwd, relPath), 'utf8');
-            }
-            catch (err) {
-                if (err.code === 'ENOENT')
-                    return null;
-                throw err;
-            }
-        },
+        readFile: readFileUnderCwd,
     };
     const checks = defaultChecks();
     if (args.sendTest)
         checks.push(liveSendCheck(args.sendTest));
+    // The probe is an opt-in network POST against a live site, so it joins only on --probe;
+    // the bare flag hands the URL resolution (the PUBLIC_ORIGIN input) to the check itself.
+    if (args.probe !== undefined) {
+        checks.push(liveProbeCheck(args.probe === true ? undefined : args.probe));
+    }
     const { results, failed } = await runDoctor(checks, ctx);
     console.log(formatReport(results));
     process.exitCode = failed > 0 ? 1 : 0;

package/dist/doctor/check-floors.d.ts

@@ -0,0 +1,15 @@
+import type { CheckResult, DoctorCheck } from './types.js';
+/**
+ * Judge a lockfile's resolved framework versions against the engine's peer ranges. Pure, so the
+ * tests drive it table-style; the check object wires in the real lockfile and the real peers.
+ * A below-range version fails; a lockfile or entry the check cannot read skips, since a pnpm or
+ * yarn consumer carries no package-lock.json at all.
+ */
+export declare function dependencyFloorsResult(lockText: string | null, peers: Record<string, string>): CheckResult;
+/**
+ * The engine's own declared peer ranges, read from the installed package.json at runtime so the
+ * floors are declared exactly once. The self-reference resolves through the consumer's
+ * node_modules in a real install and through the repo root during development.
+ */
+export declare function readEnginePeers(): Record<string, string>;
+export declare const configDependencyFloors: DoctorCheck;