@glw907/cairn-cms 0.50.0 → 0.52.0

package/dist/doctor/check-floors.js

@@ -0,0 +1,107 @@
+// The dependency-floors check. The engine's peer ranges have teeth only when something reads
+// the consumer's lockfile, where a transitively pinned svelte can sit below the floor while
+// package.json looks fine (the ecxc retrofit shipped svelte 5.56.0 that way). The check compares
+// the resolved svelte and @sveltejs/kit versions in package-lock.json against the peer ranges
+// the installed @glw907/cairn-cms declares, read at runtime so the floors live in one place.
+import { createRequire } from 'node:module';
+import { fail, pass, skip } from './types.js';
+// Plain x.y.z only. A prerelease or build tag returns null, so the check skips rather than
+// guessing how a tagged build orders against the floor.
+function parseVersion(text) {
+    const m = text.match(/^(\d+)\.(\d+)\.(\d+)$/);
+    if (!m)
+        return null;
+    return { major: Number(m[1]), minor: Number(m[2]), patch: Number(m[3]) };
+}
+// The engine's peers are simple caret ranges (^x.y.z, or ^x.y like the kit floor ^2.12), so
+// this handles the caret form only; anything else returns null and the check skips for that
+// dependency instead of approximating a full semver implementation.
+function caretFloor(range) {
+    const m = range.match(/^\^(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+    if (!m)
+        return null;
+    return { major: Number(m[1]), minor: Number(m[2] ?? 0), patch: Number(m[3] ?? 0) };
+}
+function compareVersions(a, b) {
+    return a.major - b.major || a.minor - b.minor || a.patch - b.patch;
+}
+function lockedVersion(lock, dep) {
+    const version = lock.packages?.[`node_modules/${dep}`]?.version;
+    return typeof version === 'string' ? version : undefined;
+}
+/**
+ * Judge a lockfile's resolved framework versions against the engine's peer ranges. Pure, so the
+ * tests drive it table-style; the check object wires in the real lockfile and the real peers.
+ * A below-range version fails; a lockfile or entry the check cannot read skips, since a pnpm or
+ * yarn consumer carries no package-lock.json at all.
+ */
+export function dependencyFloorsResult(lockText, peers) {
+    if (lockText === null) {
+        return skip('no package-lock.json found (a pnpm or yarn lockfile is not read)');
+    }
+    let lock;
+    try {
+        lock = JSON.parse(lockText);
+    }
+    catch {
+        // Like the wrangler reader: never echo file content into the report.
+        return fail('package-lock.json did not parse');
+    }
+    if (lock.packages === undefined) {
+        return skip('package-lock.json carries no packages map (lockfile v1; reinstall with a current npm)');
+    }
+    const failures = [];
+    const skips = [];
+    const passes = [];
+    for (const [dep, range] of Object.entries(peers)) {
+        const floor = caretFloor(range);
+        if (floor === null) {
+            skips.push(`${dep}: the engine range ${range} is not a simple caret range`);
+            continue;
+        }
+        const resolved = lockedVersion(lock, dep);
+        if (resolved === undefined) {
+            skips.push(`${dep}: no node_modules/${dep} entry in package-lock.json`);
+            continue;
+        }
+        const version = parseVersion(resolved);
+        if (version === null) {
+            skips.push(`${dep}: resolved ${resolved} is not a plain x.y.z version`);
+            continue;
+        }
+        // The caret bounds both ends: at or above the floor, same major. The engine's peers
+        // start at major 1 or higher, so the 0.x caret nuance never applies here.
+        if (compareVersions(version, floor) < 0) {
+            failures.push(`${dep} resolves to ${resolved}, below the engine floor ${range}`);
+        }
+        else if (version.major !== floor.major) {
+            failures.push(`${dep} resolves to ${resolved}, outside the engine peer range ${range}`);
+        }
+        else {
+            passes.push(`${dep} ${resolved}`);
+        }
+    }
+    if (failures.length > 0)
+        return fail(failures.join('; '));
+    if (skips.length > 0)
+        return skip(skips.join('; '));
+    return pass(`${passes.join(' and ')} satisfy the engine peer ranges`);
+}
+/**
+ * The engine's own declared peer ranges, read from the installed package.json at runtime so the
+ * floors are declared exactly once. The self-reference resolves through the consumer's
+ * node_modules in a real install and through the repo root during development.
+ */
+export function readEnginePeers() {
+    const require = createRequire(import.meta.url);
+    const pkg = require('@glw907/cairn-cms/package.json');
+    return pkg.peerDependencies ?? {};
+}
+export const configDependencyFloors = {
+    id: 'config.dependency-floors',
+    conditionId: 'config.dependency-floors-unmet',
+    title: 'Dependency floors',
+    async run(ctx) {
+        return dependencyFloorsResult(await ctx.readFile('package-lock.json'), readEnginePeers());
+    },
+};

package/dist/doctor/check-probe.d.ts

@@ -0,0 +1,3 @@
+import type { DoctorCheck } from './types.js';
+/** Build the live-probe check. A missing url falls back to the PUBLIC_ORIGIN input at run time. */
+export declare function liveProbeCheck(url?: string): DoctorCheck;

package/dist/doctor/check-probe.js

@@ -0,0 +1,123 @@
+// The doctor's opt-in live probe (--probe): one GET and one POST against a deployed admin,
+// asserting the envelope a working sign-in presents. Zero side effects by construction: the
+// POST submits a random non-editor address, and the engine's non-leak design answers a
+// non-editor with the identical sent body while sending no email and minting no token, so the
+// probe leaves nothing behind on the site. A factory rather than a check constant, the same
+// shape as the live send: the check exists only when the bin receives --probe.
+import { fail, pass, skip } from './types.js';
+import { csrfCookieName } from '../auth/crypto.js';
+import { readWranglerConfig } from './wrangler-config.js';
+const NO_URL = skip('pass --probe <url>, set PUBLIC_ORIGIN in the wrangler vars, or set PUBLIC_ORIGIN in the environment');
+/** Build the live-probe check. A missing url falls back to the PUBLIC_ORIGIN input at run time. */
+export function liveProbeCheck(url) {
+    return {
+        id: 'admin.login-probe',
+        conditionId: 'admin.login-probe-failed',
+        title: 'Live admin login probe',
+        async run(ctx) {
+            // The wrangler vars hold the value the deployed Worker reads, so they beat the local
+            // environment, the same precedence the public-origin check applies.
+            const base = url ?? (await readWranglerConfig(ctx.readFile))?.publicOrigin ?? ctx.publicOrigin;
+            if (base === undefined)
+                return NO_URL;
+            let origin;
+            try {
+                origin = new URL(base);
+            }
+            catch {
+                return fail(`probe URL does not parse: ${base}`);
+            }
+            try {
+                return await probe(ctx, origin);
+            }
+            catch (err) {
+                return fail(String(err));
+            }
+        },
+    };
+}
+/** GET /admin/login and assert the sign-in envelope, then hand the harvested token pair on. */
+async function probe(ctx, origin) {
+    const res = await ctx.fetch(String(new URL('/admin/login', origin)));
+    if (res.status !== 200) {
+        return fail(`GET /admin/login returned ${res.status}, expected 200`);
+    }
+    const cookieName = csrfCookieName(origin.protocol === 'https:');
+    const cookieValue = setCookieValue(res.headers.getSetCookie(), cookieName);
+    if (cookieValue === undefined) {
+        return fail(`GET /admin/login set no ${cookieName} cookie`);
+    }
+    const html = await res.text();
+    const field = csrfFieldValue(html);
+    if (field === undefined) {
+        return fail('the login page carries no name="csrf" hidden field with a value');
+    }
+    if (!/<form[^>]*action="[^"]*\?\/request"/.test(html)) {
+        return fail('the login page carries no form posting the ?/request action');
+    }
+    return postRequestAction(ctx, origin, `${cookieName}=${cookieValue}`, field);
+}
+/** The named cookie's value from the Set-Cookie lines, or undefined when no line names it. */
+function setCookieValue(lines, name) {
+    for (const line of lines) {
+        const eq = line.indexOf('=');
+        if (eq === -1 || line.slice(0, eq).trim() !== name)
+            continue;
+        const rest = line.slice(eq + 1);
+        const semi = rest.indexOf(';');
+        return semi === -1 ? rest : rest.slice(0, semi);
+    }
+    return undefined;
+}
+/** The csrf hidden field's value, tolerant of attribute order, or undefined when absent or empty. */
+function csrfFieldValue(html) {
+    const input = (html.match(/<input[^>]*>/g) ?? []).find((tag) => /name="csrf"/.test(tag));
+    if (input === undefined)
+        return undefined;
+    return /value="([^"]+)"/.exec(input)?.[1];
+}
+/**
+ * POST the request action and read its serialized result. The address is random and non-editor
+ * at the reserved example.invalid domain, so even a delivery bug could send nothing anywhere,
+ * and the engine's non-leak design makes the response indistinguishable from a real send.
+ */
+async function postRequestAction(ctx, origin, cookie, csrf) {
+    const email = `cairn-doctor-probe-${Math.random().toString(36).slice(2, 10)}@example.invalid`;
+    const res = await ctx.fetch(String(new URL('/admin/login?/request', origin)), {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/x-www-form-urlencoded',
+            cookie,
+        },
+        body: new URLSearchParams({ email, csrf }).toString(),
+    });
+    if (res.status !== 200) {
+        return fail(`POST ?/request returned ${res.status}, expected 200`);
+    }
+    // A no-Accept action POST answers with SvelteKit's serialized form-action JSON, shaped
+    // {"type":"success","status":200,"data":"<devalue array string>"}. The data field is a
+    // devalue encoding the probe reads by containment for the status literals, tolerant of
+    // encoding details it does not own, instead of pulling in a devalue parser.
+    let envelope;
+    try {
+        envelope = (await res.json());
+    }
+    catch {
+        return fail('POST ?/request did not answer with the serialized action JSON');
+    }
+    if (envelope.type !== 'success') {
+        return fail(`POST ?/request answered type ${String(envelope.type)}, expected success`);
+    }
+    const data = typeof envelope.data === 'string' ? envelope.data : '';
+    if (data.includes('"send_error"')) {
+        return fail('the request action answered send_error; the magic-link send path is failing (see the email checks and the auth.link.send_failed log records)');
+    }
+    // Every payload carries the "sent" field name, so the distinct status spellings go first.
+    if (data.includes('"throttled"')) {
+        return pass(`sign-in envelope verified at ${origin.origin}; the request action answered throttled (a real cooldown window is active), which still proves the path`);
+    }
+    if (data.includes('"sent"')) {
+        return pass(`sign-in envelope verified at ${origin.origin}; the request action answered sent for a non-editor probe address`);
+    }
+    return fail('POST ?/request answered success with an unrecognized payload');
+}

package/dist/doctor/checks-github.js

@@ -17,7 +17,7 @@ export const githubApp = {
             return skip('set GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, and GITHUB_APP_PRIVATE_KEY_B64 to run this check');
         }
         if (!ctx.repo) {
-            return skip('pass --repo or set GITHUB_REPO to run this check');
+            return skip('pass --repo, set GITHUB_REPO, or configure the cairnManifest plugin so the doctor can read the adapter');
         }
         const creds = appCredentials({ appId: ctx.github.appId, installationId: ctx.github.installationId }, { GITHUB_APP_PRIVATE_KEY_B64: ctx.github.privateKeyB64 });
         // Stage 1: the key parse and sign, through the deploy-time self-test. Its detail is a

package/dist/doctor/checks-local.d.ts

@@ -2,4 +2,5 @@ import type { DoctorCheck } from './types.js';
 export declare const configBindings: DoctorCheck;
 export declare const configObservability: DoctorCheck;
 export declare const configCsrfDisable: DoctorCheck;
+export declare const configPublicOrigin: DoctorCheck;
 export declare const configSiteConfig: DoctorCheck;

package/dist/doctor/checks-local.js

@@ -1,8 +1,9 @@
 // The doctor's local-config checks: the wrangler bindings, the observability sink, the
-// svelte.config CSRF handoff, and the site-config validation. Every read goes through the
-// injected ctx.readFile, so the tests pass fixtures and the bin passes node:fs.
+// svelte.config CSRF handoff, the site-config validation, and the public origin. Every read
+// goes through the injected ctx.readFile, so the tests pass fixtures and the bin passes node:fs.
 import { fail, pass, skip } from './types.js';
 import { readWranglerConfig } from './wrangler-config.js';
+import { requireOrigin } from '../env.js';
 import { parseSiteConfig, urlPolicyFrom } from '../nav/site-config.js';
 import { normalizeConcepts } from '../content/concepts.js';
 import { defineFields } from '../content/schema.js';
@@ -78,6 +79,31 @@ export const configCsrfDisable = {
         return pass('checkOrigin: false found and the hooks file wires the cairn guard (heuristic text read)');
     },
 };
+export const configPublicOrigin = {
+    id: 'config.public-origin',
+    conditionId: 'config.public-origin-invalid',
+    title: 'Public origin',
+    async run(ctx) {
+        // The wrangler vars hold the value the deployed Worker reads, so they beat the local
+        // environment; the env fallback covers a dashboard-set var the file never carries.
+        const facts = await readWranglerConfig(ctx.readFile);
+        const fromVars = facts?.publicOrigin;
+        const origin = fromVars ?? ctx.publicOrigin;
+        if (facts === null && origin === undefined) {
+            return skip('no wrangler config found and PUBLIC_ORIGIN is not in the environment');
+        }
+        // requireOrigin is the runtime rule (unset, not a URL, http off localhost); reusing it
+        // keeps the doctor and the Worker on one judgment.
+        try {
+            requireOrigin({ PUBLIC_ORIGIN: origin });
+        }
+        catch (err) {
+            return fail(err instanceof Error ? err.message : String(err));
+        }
+        const source = fromVars !== undefined ? 'wrangler vars' : 'environment';
+        return pass(`PUBLIC_ORIGIN is ${origin} (${source})`);
+    },
+};
 // Where sites keep site.config.yaml. The adapter's configPath is TypeScript the CLI cannot
 // evaluate, so the check probes the conventional spots instead (the repo root and the two
 // src locations the production sites use).

package/dist/doctor/cloudflare-api.js

@@ -5,8 +5,8 @@
 import { skip } from './types.js';
 export const CF_API = 'https://api.cloudflare.com/client/v4';
 export const NO_TOKEN = skip('set CLOUDFLARE_API_TOKEN to run this check');
-export const NO_FROM = skip('pass --from or set CAIRN_FROM to run this check');
-export const NO_ACCOUNT = skip('set CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID to run this check');
+export const NO_FROM = skip('pass --from, set CAIRN_FROM, or configure the cairnManifest plugin so the doctor can read the adapter');
+export const NO_ACCOUNT = skip('set CLOUDFLARE_API_TOKEN, and CLOUDFLARE_ACCOUNT_ID or a wrangler account_id, to run this check');
 export function cfGet(ctx, path) {
     return ctx.fetch(`${CF_API}${path}`, {
         headers: { authorization: `Bearer ${ctx.cfToken}` },

package/dist/doctor/index.d.ts

@@ -5,6 +5,9 @@ export interface DoctorArgs {
     from?: string;
     repo?: string;
     sendTest?: string;
+    /** The live admin probe: a URL when --probe carried one, true for the bare flag (probe the
+     *  PUBLIC_ORIGIN input), absent when the flag never appeared (the probe does not run). */
+    probe?: string | true;
 }
 /** Parse the bin's argv (long flags only). Throws with a usage line on anything unexpected. */
 export declare function parseArgs(argv: string[]): DoctorArgs;
@@ -15,9 +18,31 @@ export declare function parseArgs(argv: string[]): DoctorArgs;
  * readFile stay with the bin, which injects the real ones.
  */
 export declare function contextFromEnv(env: Record<string, string | undefined>, args: DoctorArgs, cwd: string): Omit<DoctorContext, 'fetch' | 'readFile'>;
+/** The lazy derivation sources the bin wires up: the adapter read through the consumer's own
+ *  Vite resolution and the wrangler config's account_id. Each runs only when an input it feeds
+ *  is still missing, so a doctor run with full flags touches neither. */
+export interface DerivationSources {
+    /** Returns { owner, repo, from } off the adapter, or null when nothing is derivable. */
+    adapterFacts: () => Promise<{
+        owner?: string;
+        repo?: string;
+        from?: string;
+    } | null>;
+    /** Returns the wrangler config's account_id, or undefined when none is declared. */
+    wranglerAccountId: () => Promise<string | undefined>;
+}
+/**
+ * Fill the context's missing inputs from the repo the doctor runs in: from and repo off the
+ * adapter, the account id off the wrangler config. An explicit flag or env value always wins
+ * (contextFromEnv already resolved those into ctx), each source runs lazily and only for
+ * inputs still missing, and a derivation failure leaves the input absent so its check skips
+ * with the usual remediation line instead of the doctor crashing. The API token is never
+ * derived; it stays env-only.
+ */
+export declare function deriveMissingInputs(ctx: Omit<DoctorContext, 'fetch' | 'readFile'>, sources: DerivationSources): Promise<Omit<DoctorContext, 'fetch' | 'readFile'>>;
 /**
- * The default registry: the four local-config checks, the four Cloudflare checks, and the
- * GitHub App chain. The live send is opt-in (--send-test) and never sits here; the bin appends
- * it. A fresh array per call, so that append mutates nothing shared.
+ * The default registry: the six local checks, the four Cloudflare checks, and the GitHub App
+ * chain. The live send is opt-in (--send-test) and never sits here; the bin appends it. A
+ * fresh array per call, so that append mutates nothing shared.
  */
 export declare function defaultChecks(): DoctorCheck[];

package/dist/doctor/index.js

@@ -1,9 +1,10 @@
-import { configBindings, configObservability, configCsrfDisable, configSiteConfig, } from './checks-local.js';
+import { configBindings, configObservability, configCsrfDisable, configSiteConfig, configPublicOrigin, } from './checks-local.js';
+import { configDependencyFloors } from './check-floors.js';
 import { emailSenderOnboarded, edgeHttpsForced, edgeHsts, authStore } from './checks-cloudflare.js';
 import { githubApp } from './checks-github.js';
 export { runDoctor } from './run.js';
 export { formatReport } from './report.js';
-const USAGE = 'Usage: cairn-doctor [--from <address>] [--repo <owner/name>] [--send-test <address>]';
+const USAGE = 'Usage: cairn-doctor [--from <address>] [--repo <owner/name>] [--send-test <address>] [--probe [url]]';
 const FLAGS = {
     '--from': 'from',
     '--repo': 'repo',
@@ -12,8 +13,16 @@ const FLAGS = {
 /** Parse the bin's argv (long flags only). Throws with a usage line on anything unexpected. */
 export function parseArgs(argv) {
     const args = {};
-    for (let i = 0; i < argv.length; i += 2) {
+    for (let i = 0; i < argv.length;) {
         const flag = argv[i];
+        // --probe alone is meaningful (probe the PUBLIC_ORIGIN input), so its value is optional.
+        if (flag === '--probe') {
+            const value = argv[i + 1];
+            const bare = value === undefined || value.startsWith('--');
+            args.probe = bare ? true : value;
+            i += bare ? 1 : 2;
+            continue;
+        }
         const key = FLAGS[flag];
         if (!key)
             throw new Error(`unknown argument ${flag}\n${USAGE}`);
@@ -22,6 +31,7 @@ export function parseArgs(argv) {
             throw new Error(`${flag} needs a value\n${USAGE}`);
         }
         args[key] = value;
+        i += 2;
     }
     return args;
 }
@@ -39,6 +49,7 @@ export function contextFromEnv(env, args, cwd) {
         repo: args.repo ?? env.GITHUB_REPO,
         cfToken: env.CLOUDFLARE_API_TOKEN,
         cfAccountId: env.CLOUDFLARE_ACCOUNT_ID,
+        publicOrigin: env.PUBLIC_ORIGIN,
         github: GITHUB_APP_ID && GITHUB_APP_INSTALLATION_ID && GITHUB_APP_PRIVATE_KEY_B64
             ? {
                 appId: GITHUB_APP_ID,
@@ -49,9 +60,37 @@ export function contextFromEnv(env, args, cwd) {
     };
 }
 /**
- * The default registry: the four local-config checks, the four Cloudflare checks, and the
- * GitHub App chain. The live send is opt-in (--send-test) and never sits here; the bin appends
- * it. A fresh array per call, so that append mutates nothing shared.
+ * Fill the context's missing inputs from the repo the doctor runs in: from and repo off the
+ * adapter, the account id off the wrangler config. An explicit flag or env value always wins
+ * (contextFromEnv already resolved those into ctx), each source runs lazily and only for
+ * inputs still missing, and a derivation failure leaves the input absent so its check skips
+ * with the usual remediation line instead of the doctor crashing. The API token is never
+ * derived; it stays env-only.
+ */
+export async function deriveMissingInputs(ctx, sources) {
+    const out = { ...ctx };
+    if (out.from === undefined || out.repo === undefined) {
+        const facts = await sources.adapterFacts().catch(() => null);
+        if (out.from === undefined && typeof facts?.from === 'string') {
+            out.from = facts.from;
+        }
+        if (out.repo === undefined &&
+            typeof facts?.owner === 'string' &&
+            typeof facts?.repo === 'string') {
+            out.repo = `${facts.owner}/${facts.repo}`;
+        }
+    }
+    if (out.cfAccountId === undefined) {
+        const accountId = await sources.wranglerAccountId().catch(() => undefined);
+        if (typeof accountId === 'string')
+            out.cfAccountId = accountId;
+    }
+    return out;
+}
+/**
+ * The default registry: the six local checks, the four Cloudflare checks, and the GitHub App
+ * chain. The live send is opt-in (--send-test) and never sits here; the bin appends it. A
+ * fresh array per call, so that append mutates nothing shared.
  */
 export function defaultChecks() {
     return [
@@ -59,6 +98,8 @@ export function defaultChecks() {
         configObservability,
         configCsrfDisable,
         configSiteConfig,
+        configPublicOrigin,
+        configDependencyFloors,
         emailSenderOnboarded,
         edgeHttpsForced,
         edgeHsts,

package/dist/doctor/types.d.ts

@@ -28,6 +28,8 @@ export interface DoctorContext {
     cfToken?: string;
     /** CLOUDFLARE_ACCOUNT_ID. */
     cfAccountId?: string;
+    /** PUBLIC_ORIGIN, the env fallback when the wrangler vars carry none. */
+    publicOrigin?: string;
     /** GITHUB_APP_ID / GITHUB_APP_INSTALLATION_ID / GITHUB_APP_PRIVATE_KEY_B64. */
     github?: {
         appId: string;

package/dist/doctor/wrangler-config.d.ts

@@ -8,5 +8,9 @@ export interface WranglerFacts {
     authDbId?: string;
     /** observability.enabled is true. */
     observabilityEnabled: boolean;
+    /** vars.PUBLIC_ORIGIN, when declared; the public-origin check validates it. */
+    publicOrigin?: string;
+    /** The top-level account_id, when declared; a fallback for CLOUDFLARE_ACCOUNT_ID. */
+    accountId?: string;
 }
 export declare function readWranglerConfig(readFile: DoctorContext['readFile']): Promise<WranglerFacts | null>;

package/dist/doctor/wrangler-config.js

@@ -71,6 +71,11 @@ function factsFromJsonc(text) {
     };
     if (typeof authDb?.database_id === 'string')
         facts.authDbId = authDb.database_id;
+    const vars = config.vars;
+    if (typeof vars?.PUBLIC_ORIGIN === 'string')
+        facts.publicOrigin = vars.PUBLIC_ORIGIN;
+    if (typeof config.account_id === 'string')
+        facts.accountId = config.account_id;
     return facts;
 }
 // The toml read is deliberately shallow: line-anchored matching for the three facts, not a
@@ -119,6 +124,12 @@ function factsFromToml(text) {
         else if (section === '[observability]' && key === 'enabled' && value.startsWith('true')) {
             facts.observabilityEnabled = true;
         }
+        else if (section === '[vars]' && key === 'PUBLIC_ORIGIN' && str !== undefined) {
+            facts.publicOrigin = str;
+        }
+        else if (section === '' && key === 'account_id' && str !== undefined) {
+            facts.accountId = str;
+        }
     }
     flushD1();
     return facts;

package/dist/env.d.ts

@@ -5,7 +5,8 @@ import type { D1Database } from '@cloudflare/workers-types';
  * The origin is always config-derived, never read from a request header, so a
  * forged Host header cannot redirect a magic link (spec 7.1, risk H3).
  *
- * @throws Error when `PUBLIC_ORIGIN` is unset or empty.
+ * @throws CairnError (`config.public-origin-invalid`) when `PUBLIC_ORIGIN` is unset or
+ * empty, fails to parse as a URL, or uses http on a non-local host.
  */
 export declare function requireOrigin(env: {
     PUBLIC_ORIGIN?: string;

package/dist/env.js

@@ -5,26 +5,31 @@ import { CairnError } from './diagnostics/index.js';
  * The origin is always config-derived, never read from a request header, so a
  * forged Host header cannot redirect a magic link (spec 7.1, risk H3).
  *
- * @throws Error when `PUBLIC_ORIGIN` is unset or empty.
+ * @throws CairnError (`config.public-origin-invalid`) when `PUBLIC_ORIGIN` is unset or
+ * empty, fails to parse as a URL, or uses http on a non-local host.
  */
 export function requireOrigin(env) {
     const origin = env.PUBLIC_ORIGIN;
     if (!origin) {
-        throw new Error('PUBLIC_ORIGIN is not configured');
+        throw new CairnError('config.public-origin-invalid', { message: 'PUBLIC_ORIGIN is not configured' });
     }
     let hostname;
     try {
         hostname = new URL(origin).hostname;
     }
     catch {
-        throw new Error(`PUBLIC_ORIGIN is not a valid URL, got ${origin}`);
+        throw new CairnError('config.public-origin-invalid', {
+            message: `PUBLIC_ORIGIN is not a valid URL, got ${origin}`,
+        });
     }
     // The magic-link origin must be https in production so the link and the __Host- cookie are
     // origin-bound. http is allowed only for local dev on localhost or 127.0.0.1, matched exactly so
     // a lookalike host like localhost.example.com cannot skip the https requirement.
     const isLocal = hostname === 'localhost' || hostname === '127.0.0.1';
     if (!origin.startsWith('https://') && !isLocal) {
-        throw new Error(`PUBLIC_ORIGIN must be https in production, got ${origin}`);
+        throw new CairnError('config.public-origin-invalid', {
+            message: `PUBLIC_ORIGIN must be https in production, got ${origin}`,
+        });
     }
     return origin;
 }

package/dist/index.d.ts

@@ -2,7 +2,7 @@ export { requireOrigin } from './env.js';
 export type { Role, Editor, AuthEnv } from './auth/types.js';
 export type { AuthBranding, MagicLinkMessage, SendMagicLink } from './email.js';
 export { buildMagicLinkMessage, cloudflareSend } from './email.js';
-export type { CairnAdapter, ConceptConfig, FrontmatterField, TextField, TextareaField, DateField, BooleanField, TagsField, FreeTagsField, ValidationResult, BackendConfig, SenderConfig, NavMenuConfig, AssetConfig, RoutingRule, ConceptDescriptor, ConceptUrlPolicy, CairnExtension, CairnRuntime, AdminPanel, FieldTypeDef, } from './content/types.js';
+export type { CairnAdapter, ConceptConfig, FrontmatterField, TextField, TextareaField, DateField, BooleanField, TagsField, FreeTagsField, ValidationResult, BackendConfig, SenderConfig, NavMenuConfig, PreviewConfig, ResolvedPreview, AssetConfig, RoutingRule, ConceptDescriptor, ConceptUrlPolicy, CairnExtension, CairnRuntime, AdminPanel, FieldTypeDef, } from './content/types.js';
 export { CONCEPT_ROUTING, normalizeConcepts, findConcept } from './content/concepts.js';
 export { composeRuntime } from './content/compose.js';
 export type { ComposeInput } from './content/compose.js';

package/dist/sveltekit/content-routes.d.ts

@@ -2,7 +2,7 @@ import { fail } from '@sveltejs/kit';
 import { type GithubKeyEnv } from '../github/credentials.js';
 import { type LinkTarget, type InboundLink } from '../content/manifest.js';
 import type { CookieJar, EventBase } from './types.js';
-import type { CairnRuntime, FrontmatterField } from '../content/types.js';
+import type { CairnRuntime, FrontmatterField, ResolvedPreview } from '../content/types.js';
 import type { Role } from '../auth/types.js';
 /** A sidebar concept entry: just enough to render the nav without shipping validators to the client. */
 export interface NavConcept {
@@ -87,6 +87,10 @@ export interface EditData {
     publishedFlash: boolean;
     /** True after a discard redirect (`?discarded=1`), for the confirmation strip. */
     discardedFlash: boolean;
+    /** The adapter's preview knob resolved for this entry's concept (its `byConcept` override,
+     *  when one exists, applied over the top-level values); null when the site sets none, which
+     *  leaves the frame rendering unstyled markup behind a hint. */
+    preview: ResolvedPreview | null;
 }
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
 export interface ContentEvent extends EventBase<GithubKeyEnv> {