@glw907/cairn-cms 0.50.0 → 0.52.0

package/src/lib/content/types.ts

@@ -154,6 +154,33 @@ export interface NavMenuConfig {
   maxDepth?: number;
 }
 
+/**
+ * How the edit page's preview frame reproduces the live site's content styling. The admin
+ * deliberately never loads the site's CSS (chrome isolation), so a design-accurate preview needs
+ * the site to name its stylesheets for the preview frame; without this knob the preview renders
+ * unstyled markup. The frame's srcdoc pins a white body background as a deliberately overridable
+ * default, so a site whose ground is not white should state its body background in its own
+ * stylesheet.
+ */
+export interface PreviewConfig {
+  /** Absolute or root-relative URLs of the site's compiled stylesheets, linked inside the
+   *  preview document. A Vite `?url` import of the site's CSS resolves the hashed asset URL. */
+  stylesheets: string[];
+  /** Class list applied to the preview document's body, for theme or typography roots. */
+  bodyClass?: string;
+  /** Class list for a wrapper element around the rendered content, reproducing the site's
+   *  content container (a prose or measure class). Omitted renders the content bare. */
+  containerClass?: string;
+  /** Per-concept overrides of bodyClass and containerClass, keyed by concept id. An entry's
+   *  preview resolves the override for its concept over the top-level values; stylesheets are
+   *  always shared. */
+  byConcept?: Record<string, { bodyClass?: string; containerClass?: string }>;
+}
+
+/** The flat preview shape `editLoad` ships to the edit page: the top-level `PreviewConfig`
+ *  values with the entry's concept override applied, and no `byConcept` map. */
+export type ResolvedPreview = Omit<PreviewConfig, 'byConcept'>;
+
 /** Reserved asset slot (seam 4). Typed and unused in the rebuild; R7/R9 read it later with no contract change. */
 export interface AssetConfig {
   /** Repo-relative asset roots, e.g. ["static/images"]. */
@@ -187,6 +214,9 @@ export interface CairnAdapter {
   /** The site's glyph name to SVG path-data map, for the admin icon picker and the renderer. */
   icons?: IconSet;
   navMenu?: NavMenuConfig;
+  /** The live site's content styling for the preview frame. The admin's chrome isolation keeps
+   *  the site's CSS out of the admin document, so the preview frame links these instead. */
+  preview?: PreviewConfig;
   assets?: AssetConfig;
 }
 
@@ -285,6 +315,8 @@ export interface CairnRuntime {
   /** The site's glyph name to SVG path-data map, for the admin icon picker and the renderer. */
   icons?: IconSet;
   navMenu?: NavMenuConfig;
+  /** The live site's content styling for the preview frame; passed through from the adapter. */
+  preview?: PreviewConfig;
   assets?: AssetConfig;
   /** Admin panels contributed by extensions (Mode 2). Empty until Plan 09 wires the dispatch route. */
   adminPanels?: AdminPanel[];

package/src/lib/diagnostics/conditions.ts

@@ -101,6 +101,14 @@ export const REGISTRY: Record<string, CairnCondition> = {
 		remediation: "Set csrf: { checkOrigin: false } in svelte.config.js and wire createAuthGuard into src/hooks.server.ts; cairn's guard owns the Origin and double-submit token checks.",
 		docsAnchor: 'cloudflare-readiness.md#hand-cairn-the-csrf-authority',
 	},
+	'config.public-origin-invalid': {
+		id: 'config.public-origin-invalid',
+		severity: 'blocker',
+		title: 'PUBLIC_ORIGIN is missing or invalid',
+		why: 'PUBLIC_ORIGIN is unset, does not parse as a URL, or uses http on a non-local host. The magic-link confirmation links and the absolute feed URLs derive from it, config-only so a forged Host header cannot redirect a link, and sign-in cannot mint a usable link without it.',
+		remediation: "Set PUBLIC_ORIGIN to the site's canonical https origin in the wrangler config vars (with .dev.vars carrying the local http override), then re-deploy; http passes only on localhost or 127.0.0.1.",
+		docsAnchor: 'cloudflare-readiness.md#set-the-public-origin',
+	},
 	'config.site-config-invalid': {
 		id: 'config.site-config-invalid',
 		severity: 'blocker',
@@ -109,6 +117,14 @@ export const REGISTRY: Record<string, CairnCondition> = {
 		remediation: 'Correct site.config.yaml; the parse or validation error names the failing field or URL-policy rule.',
 		docsAnchor: 'cloudflare-readiness.md#validate-the-site-config',
 	},
+	'config.dependency-floors-unmet': {
+		id: 'config.dependency-floors-unmet',
+		severity: 'blocker',
+		title: 'A framework dependency sits below the engine floor',
+		why: 'The lockfile resolves svelte or @sveltejs/kit below the range the engine declares as a peer. Consumer sites compile the shipped .svelte sources, so a below-floor compiler bites silently at build time; svelte 5.56.1 miscompiles parenthesized boolean groupings, which is why the svelte floor is ^5.56.3.',
+		remediation: "Raise the devDependency range in the site's package.json to the engine peer range and reinstall so the lockfile re-resolves, for example `npm install --save-dev svelte@^5.56.3`.",
+		docsAnchor: 'cloudflare-readiness.md#meet-the-dependency-floors',
+	},
 	'edge.hsts-off': {
 		id: 'edge.hsts-off',
 		severity: 'warning',
@@ -134,6 +150,14 @@ export const REGISTRY: Record<string, CairnCondition> = {
 		docsAnchor: 'cloudflare-readiness.md#install-the-github-app',
 		logEvent: 'github.unreachable',
 	},
+	'admin.login-probe-failed': {
+		id: 'admin.login-probe-failed',
+		severity: 'blocker',
+		title: 'Live admin login probe failed',
+		why: 'A live request to the deployed admin did not answer with the working sign-in envelope (the login page, its CSRF cookie and hidden field, and the request action), so a real editor cannot sign in either. A probe failure has many possible causes; the detail line names the assertion that failed.',
+		remediation: 'Read the failed assertion in the detail line, run the full doctor against the same site, and work through the deploy guide; the other checks narrow the cause.',
+		docsAnchor: 'cloudflare-readiness.md#probe-the-deployed-admin',
+	},
 };
 
 // The registry is shared identity, never working state; freeze every entry and the map itself.

package/src/lib/doctor/bin.ts

@@ -7,8 +7,17 @@
 // before the process ends.
 import { readFile } from 'node:fs/promises';
 import { resolve } from 'node:path';
+import { liveProbeCheck } from './check-probe.js';
 import { liveSendCheck } from './check-send.js';
-import { contextFromEnv, defaultChecks, formatReport, parseArgs, runDoctor } from './index.js';
+import { readWranglerConfig } from './wrangler-config.js';
+import {
+	contextFromEnv,
+	defaultChecks,
+	deriveMissingInputs,
+	formatReport,
+	parseArgs,
+	runDoctor,
+} from './index.js';
 
 async function main(): Promise<void> {
 	let args: ReturnType<typeof parseArgs>;
@@ -21,21 +30,37 @@ async function main(): Promise<void> {
 	}
 
 	const cwd = process.cwd();
+	const readFileUnderCwd = async (relPath: string): Promise<string | null> => {
+		try {
+			return await readFile(resolve(cwd, relPath), 'utf8');
+		} catch (err) {
+			if ((err as NodeJS.ErrnoException).code === 'ENOENT') return null;
+			throw err;
+		}
+	};
+	// Fill inputs the flags and env left missing from the repo itself: from and repo off the
+	// adapter (through the vite arm, which exists only on this bin path, never in a Worker)
+	// and the account id off the wrangler config. The API token stays env-only.
+	const derived = await deriveMissingInputs(contextFromEnv(process.env, args, cwd), {
+		adapterFacts: async () => {
+			const { readAdapterFacts } = await import('../vite/index.js');
+			return readAdapterFacts(cwd);
+		},
+		wranglerAccountId: async () => (await readWranglerConfig(readFileUnderCwd))?.accountId,
+	});
 	const ctx = {
-		...contextFromEnv(process.env, args, cwd),
+		...derived,
 		fetch: globalThis.fetch,
-		readFile: async (relPath: string): Promise<string | null> => {
-			try {
-				return await readFile(resolve(cwd, relPath), 'utf8');
-			} catch (err) {
-				if ((err as NodeJS.ErrnoException).code === 'ENOENT') return null;
-				throw err;
-			}
-		},
+		readFile: readFileUnderCwd,
 	};
 
 	const checks = defaultChecks();
 	if (args.sendTest) checks.push(liveSendCheck(args.sendTest));
+	// The probe is an opt-in network POST against a live site, so it joins only on --probe;
+	// the bare flag hands the URL resolution (the PUBLIC_ORIGIN input) to the check itself.
+	if (args.probe !== undefined) {
+		checks.push(liveProbeCheck(args.probe === true ? undefined : args.probe));
+	}
 
 	const { results, failed } = await runDoctor(checks, ctx);
 	console.log(formatReport(results));

package/src/lib/doctor/check-floors.ts

@@ -0,0 +1,124 @@
+// The dependency-floors check. The engine's peer ranges have teeth only when something reads
+// the consumer's lockfile, where a transitively pinned svelte can sit below the floor while
+// package.json looks fine (the ecxc retrofit shipped svelte 5.56.0 that way). The check compares
+// the resolved svelte and @sveltejs/kit versions in package-lock.json against the peer ranges
+// the installed @glw907/cairn-cms declares, read at runtime so the floors live in one place.
+import { createRequire } from 'node:module';
+import { fail, pass, skip } from './types.js';
+import type { CheckResult, DoctorCheck, DoctorContext } from './types.js';
+
+interface Version {
+	major: number;
+	minor: number;
+	patch: number;
+}
+
+// Plain x.y.z only. A prerelease or build tag returns null, so the check skips rather than
+// guessing how a tagged build orders against the floor.
+function parseVersion(text: string): Version | null {
+	const m = text.match(/^(\d+)\.(\d+)\.(\d+)$/);
+	if (!m) return null;
+	return { major: Number(m[1]), minor: Number(m[2]), patch: Number(m[3]) };
+}
+
+// The engine's peers are simple caret ranges (^x.y.z, or ^x.y like the kit floor ^2.12), so
+// this handles the caret form only; anything else returns null and the check skips for that
+// dependency instead of approximating a full semver implementation.
+function caretFloor(range: string): Version | null {
+	const m = range.match(/^\^(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+	if (!m) return null;
+	return { major: Number(m[1]), minor: Number(m[2] ?? 0), patch: Number(m[3] ?? 0) };
+}
+
+function compareVersions(a: Version, b: Version): number {
+	return a.major - b.major || a.minor - b.minor || a.patch - b.patch;
+}
+
+// A v2/v3 lockfile's packages map; v1 has none and the check skips.
+interface LockPackages {
+	packages?: Record<string, { version?: unknown } | undefined>;
+}
+
+function lockedVersion(lock: LockPackages, dep: string): string | undefined {
+	const version = lock.packages?.[`node_modules/${dep}`]?.version;
+	return typeof version === 'string' ? version : undefined;
+}
+
+/**
+ * Judge a lockfile's resolved framework versions against the engine's peer ranges. Pure, so the
+ * tests drive it table-style; the check object wires in the real lockfile and the real peers.
+ * A below-range version fails; a lockfile or entry the check cannot read skips, since a pnpm or
+ * yarn consumer carries no package-lock.json at all.
+ */
+export function dependencyFloorsResult(
+	lockText: string | null,
+	peers: Record<string, string>
+): CheckResult {
+	if (lockText === null) {
+		return skip('no package-lock.json found (a pnpm or yarn lockfile is not read)');
+	}
+	let lock: LockPackages;
+	try {
+		lock = JSON.parse(lockText) as LockPackages;
+	} catch {
+		// Like the wrangler reader: never echo file content into the report.
+		return fail('package-lock.json did not parse');
+	}
+	if (lock.packages === undefined) {
+		return skip('package-lock.json carries no packages map (lockfile v1; reinstall with a current npm)');
+	}
+	const failures: string[] = [];
+	const skips: string[] = [];
+	const passes: string[] = [];
+	for (const [dep, range] of Object.entries(peers)) {
+		const floor = caretFloor(range);
+		if (floor === null) {
+			skips.push(`${dep}: the engine range ${range} is not a simple caret range`);
+			continue;
+		}
+		const resolved = lockedVersion(lock, dep);
+		if (resolved === undefined) {
+			skips.push(`${dep}: no node_modules/${dep} entry in package-lock.json`);
+			continue;
+		}
+		const version = parseVersion(resolved);
+		if (version === null) {
+			skips.push(`${dep}: resolved ${resolved} is not a plain x.y.z version`);
+			continue;
+		}
+		// The caret bounds both ends: at or above the floor, same major. The engine's peers
+		// start at major 1 or higher, so the 0.x caret nuance never applies here.
+		if (compareVersions(version, floor) < 0) {
+			failures.push(`${dep} resolves to ${resolved}, below the engine floor ${range}`);
+		} else if (version.major !== floor.major) {
+			failures.push(`${dep} resolves to ${resolved}, outside the engine peer range ${range}`);
+		} else {
+			passes.push(`${dep} ${resolved}`);
+		}
+	}
+	if (failures.length > 0) return fail(failures.join('; '));
+	if (skips.length > 0) return skip(skips.join('; '));
+	return pass(`${passes.join(' and ')} satisfy the engine peer ranges`);
+}
+
+/**
+ * The engine's own declared peer ranges, read from the installed package.json at runtime so the
+ * floors are declared exactly once. The self-reference resolves through the consumer's
+ * node_modules in a real install and through the repo root during development.
+ */
+export function readEnginePeers(): Record<string, string> {
+	const require = createRequire(import.meta.url);
+	const pkg = require('@glw907/cairn-cms/package.json') as {
+		peerDependencies?: Record<string, string>;
+	};
+	return pkg.peerDependencies ?? {};
+}
+
+export const configDependencyFloors: DoctorCheck = {
+	id: 'config.dependency-floors',
+	conditionId: 'config.dependency-floors-unmet',
+	title: 'Dependency floors',
+	async run(ctx: DoctorContext): Promise<CheckResult> {
+		return dependencyFloorsResult(await ctx.readFile('package-lock.json'), readEnginePeers());
+	},
+};

package/src/lib/doctor/check-probe.ts

@@ -0,0 +1,138 @@
+// The doctor's opt-in live probe (--probe): one GET and one POST against a deployed admin,
+// asserting the envelope a working sign-in presents. Zero side effects by construction: the
+// POST submits a random non-editor address, and the engine's non-leak design answers a
+// non-editor with the identical sent body while sending no email and minting no token, so the
+// probe leaves nothing behind on the site. A factory rather than a check constant, the same
+// shape as the live send: the check exists only when the bin receives --probe.
+import { fail, pass, skip } from './types.js';
+import type { CheckResult, DoctorCheck, DoctorContext } from './types.js';
+import { csrfCookieName } from '../auth/crypto.js';
+import { readWranglerConfig } from './wrangler-config.js';
+
+const NO_URL: CheckResult = skip(
+	'pass --probe <url>, set PUBLIC_ORIGIN in the wrangler vars, or set PUBLIC_ORIGIN in the environment'
+);
+
+/** Build the live-probe check. A missing url falls back to the PUBLIC_ORIGIN input at run time. */
+export function liveProbeCheck(url?: string): DoctorCheck {
+	return {
+		id: 'admin.login-probe',
+		conditionId: 'admin.login-probe-failed',
+		title: 'Live admin login probe',
+		async run(ctx: DoctorContext): Promise<CheckResult> {
+			// The wrangler vars hold the value the deployed Worker reads, so they beat the local
+			// environment, the same precedence the public-origin check applies.
+			const base =
+				url ?? (await readWranglerConfig(ctx.readFile))?.publicOrigin ?? ctx.publicOrigin;
+			if (base === undefined) return NO_URL;
+			let origin: URL;
+			try {
+				origin = new URL(base);
+			} catch {
+				return fail(`probe URL does not parse: ${base}`);
+			}
+			try {
+				return await probe(ctx, origin);
+			} catch (err) {
+				return fail(String(err));
+			}
+		},
+	};
+}
+
+/** GET /admin/login and assert the sign-in envelope, then hand the harvested token pair on. */
+async function probe(ctx: DoctorContext, origin: URL): Promise<CheckResult> {
+	const res = await ctx.fetch(String(new URL('/admin/login', origin)));
+	if (res.status !== 200) {
+		return fail(`GET /admin/login returned ${res.status}, expected 200`);
+	}
+	const cookieName = csrfCookieName(origin.protocol === 'https:');
+	const cookieValue = setCookieValue(res.headers.getSetCookie(), cookieName);
+	if (cookieValue === undefined) {
+		return fail(`GET /admin/login set no ${cookieName} cookie`);
+	}
+	const html = await res.text();
+	const field = csrfFieldValue(html);
+	if (field === undefined) {
+		return fail('the login page carries no name="csrf" hidden field with a value');
+	}
+	if (!/<form[^>]*action="[^"]*\?\/request"/.test(html)) {
+		return fail('the login page carries no form posting the ?/request action');
+	}
+	return postRequestAction(ctx, origin, `${cookieName}=${cookieValue}`, field);
+}
+
+/** The named cookie's value from the Set-Cookie lines, or undefined when no line names it. */
+function setCookieValue(lines: string[], name: string): string | undefined {
+	for (const line of lines) {
+		const eq = line.indexOf('=');
+		if (eq === -1 || line.slice(0, eq).trim() !== name) continue;
+		const rest = line.slice(eq + 1);
+		const semi = rest.indexOf(';');
+		return semi === -1 ? rest : rest.slice(0, semi);
+	}
+	return undefined;
+}
+
+/** The csrf hidden field's value, tolerant of attribute order, or undefined when absent or empty. */
+function csrfFieldValue(html: string): string | undefined {
+	const input = (html.match(/<input[^>]*>/g) ?? []).find((tag) => /name="csrf"/.test(tag));
+	if (input === undefined) return undefined;
+	return /value="([^"]+)"/.exec(input)?.[1];
+}
+
+/**
+ * POST the request action and read its serialized result. The address is random and non-editor
+ * at the reserved example.invalid domain, so even a delivery bug could send nothing anywhere,
+ * and the engine's non-leak design makes the response indistinguishable from a real send.
+ */
+async function postRequestAction(
+	ctx: DoctorContext,
+	origin: URL,
+	cookie: string,
+	csrf: string
+): Promise<CheckResult> {
+	const email = `cairn-doctor-probe-${Math.random().toString(36).slice(2, 10)}@example.invalid`;
+	const res = await ctx.fetch(String(new URL('/admin/login?/request', origin)), {
+		method: 'POST',
+		headers: {
+			'content-type': 'application/x-www-form-urlencoded',
+			cookie,
+		},
+		body: new URLSearchParams({ email, csrf }).toString(),
+	});
+	if (res.status !== 200) {
+		return fail(`POST ?/request returned ${res.status}, expected 200`);
+	}
+	// A no-Accept action POST answers with SvelteKit's serialized form-action JSON, shaped
+	// {"type":"success","status":200,"data":"<devalue array string>"}. The data field is a
+	// devalue encoding the probe reads by containment for the status literals, tolerant of
+	// encoding details it does not own, instead of pulling in a devalue parser.
+	let envelope: { type?: unknown; data?: unknown };
+	try {
+		envelope = (await res.json()) as { type?: unknown; data?: unknown };
+	} catch {
+		return fail('POST ?/request did not answer with the serialized action JSON');
+	}
+	if (envelope.type !== 'success') {
+		return fail(`POST ?/request answered type ${String(envelope.type)}, expected success`);
+	}
+	const data = typeof envelope.data === 'string' ? envelope.data : '';
+	if (data.includes('"send_error"')) {
+		return fail(
+			'the request action answered send_error; the magic-link send path is failing (see the email checks and the auth.link.send_failed log records)'
+		);
+	}
+	// Every payload carries the "sent" field name, so the distinct status spellings go first.
+	if (data.includes('"throttled"')) {
+		return pass(
+			`sign-in envelope verified at ${origin.origin}; the request action answered throttled (a real cooldown window is active), which still proves the path`
+		);
+	}
+	if (data.includes('"sent"')) {
+		return pass(
+			`sign-in envelope verified at ${origin.origin}; the request action answered sent for a non-editor probe address`
+		);
+	}
+	return fail('POST ?/request answered success with an unrecognized payload');
+}

package/src/lib/doctor/checks-github.ts

@@ -22,7 +22,9 @@ export const githubApp: DoctorCheck = {
 			);
 		}
 		if (!ctx.repo) {
-			return skip('pass --repo or set GITHUB_REPO to run this check');
+			return skip(
+				'pass --repo, set GITHUB_REPO, or configure the cairnManifest plugin so the doctor can read the adapter'
+			);
 		}
 		const creds = appCredentials(
 			{ appId: ctx.github.appId, installationId: ctx.github.installationId },

package/src/lib/doctor/checks-local.ts

@@ -1,9 +1,10 @@
 // The doctor's local-config checks: the wrangler bindings, the observability sink, the
-// svelte.config CSRF handoff, and the site-config validation. Every read goes through the
-// injected ctx.readFile, so the tests pass fixtures and the bin passes node:fs.
+// svelte.config CSRF handoff, the site-config validation, and the public origin. Every read
+// goes through the injected ctx.readFile, so the tests pass fixtures and the bin passes node:fs.
 import { fail, pass, skip } from './types.js';
 import type { CheckResult, DoctorCheck, DoctorContext } from './types.js';
 import { readWranglerConfig } from './wrangler-config.js';
+import { requireOrigin } from '../env.js';
 import { parseSiteConfig, urlPolicyFrom } from '../nav/site-config.js';
 import { normalizeConcepts } from '../content/concepts.js';
 import { defineFields } from '../content/schema.js';
@@ -85,6 +86,31 @@ export const configCsrfDisable: DoctorCheck = {
 	},
 };
 
+export const configPublicOrigin: DoctorCheck = {
+	id: 'config.public-origin',
+	conditionId: 'config.public-origin-invalid',
+	title: 'Public origin',
+	async run(ctx: DoctorContext): Promise<CheckResult> {
+		// The wrangler vars hold the value the deployed Worker reads, so they beat the local
+		// environment; the env fallback covers a dashboard-set var the file never carries.
+		const facts = await readWranglerConfig(ctx.readFile);
+		const fromVars = facts?.publicOrigin;
+		const origin = fromVars ?? ctx.publicOrigin;
+		if (facts === null && origin === undefined) {
+			return skip('no wrangler config found and PUBLIC_ORIGIN is not in the environment');
+		}
+		// requireOrigin is the runtime rule (unset, not a URL, http off localhost); reusing it
+		// keeps the doctor and the Worker on one judgment.
+		try {
+			requireOrigin({ PUBLIC_ORIGIN: origin });
+		} catch (err) {
+			return fail(err instanceof Error ? err.message : String(err));
+		}
+		const source = fromVars !== undefined ? 'wrangler vars' : 'environment';
+		return pass(`PUBLIC_ORIGIN is ${origin} (${source})`);
+	},
+};
+
 // Where sites keep site.config.yaml. The adapter's configPath is TypeScript the CLI cannot
 // evaluate, so the check probes the conventional spots instead (the repo root and the two
 // src locations the production sites use).

package/src/lib/doctor/cloudflare-api.ts

@@ -9,10 +9,12 @@ export const CF_API = 'https://api.cloudflare.com/client/v4';
 
 export const NO_TOKEN: CheckResult = skip('set CLOUDFLARE_API_TOKEN to run this check');
 
-export const NO_FROM: CheckResult = skip('pass --from or set CAIRN_FROM to run this check');
+export const NO_FROM: CheckResult = skip(
+	'pass --from, set CAIRN_FROM, or configure the cairnManifest plugin so the doctor can read the adapter'
+);
 
 export const NO_ACCOUNT: CheckResult = skip(
-	'set CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID to run this check'
+	'set CLOUDFLARE_API_TOKEN, and CLOUDFLARE_ACCOUNT_ID or a wrangler account_id, to run this check'
 );
 
 export function cfGet(ctx: DoctorContext, path: string): Promise<Response> {

package/src/lib/doctor/index.ts

@@ -7,22 +7,28 @@ import {
 	configObservability,
 	configCsrfDisable,
 	configSiteConfig,
+	configPublicOrigin,
 } from './checks-local.js';
+import { configDependencyFloors } from './check-floors.js';
 import { emailSenderOnboarded, edgeHttpsForced, edgeHsts, authStore } from './checks-cloudflare.js';
 import { githubApp } from './checks-github.js';
 
 export { runDoctor } from './run.js';
 export { formatReport } from './report.js';
 
-const USAGE = 'Usage: cairn-doctor [--from <address>] [--repo <owner/name>] [--send-test <address>]';
+const USAGE =
+	'Usage: cairn-doctor [--from <address>] [--repo <owner/name>] [--send-test <address>] [--probe [url]]';
 
 export interface DoctorArgs {
 	from?: string;
 	repo?: string;
 	sendTest?: string;
+	/** The live admin probe: a URL when --probe carried one, true for the bare flag (probe the
+	 *  PUBLIC_ORIGIN input), absent when the flag never appeared (the probe does not run). */
+	probe?: string | true;
 }
 
-const FLAGS: Record<string, keyof DoctorArgs> = {
+const FLAGS: Record<string, 'from' | 'repo' | 'sendTest'> = {
 	'--from': 'from',
 	'--repo': 'repo',
 	'--send-test': 'sendTest',
@@ -31,8 +37,16 @@ const FLAGS: Record<string, keyof DoctorArgs> = {
 /** Parse the bin's argv (long flags only). Throws with a usage line on anything unexpected. */
 export function parseArgs(argv: string[]): DoctorArgs {
 	const args: DoctorArgs = {};
-	for (let i = 0; i < argv.length; i += 2) {
+	for (let i = 0; i < argv.length; ) {
 		const flag = argv[i];
+		// --probe alone is meaningful (probe the PUBLIC_ORIGIN input), so its value is optional.
+		if (flag === '--probe') {
+			const value = argv[i + 1];
+			const bare = value === undefined || value.startsWith('--');
+			args.probe = bare ? true : value;
+			i += bare ? 1 : 2;
+			continue;
+		}
 		const key = FLAGS[flag];
 		if (!key) throw new Error(`unknown argument ${flag}\n${USAGE}`);
 		const value = argv[i + 1];
@@ -40,6 +54,7 @@ export function parseArgs(argv: string[]): DoctorArgs {
 			throw new Error(`${flag} needs a value\n${USAGE}`);
 		}
 		args[key] = value;
+		i += 2;
 	}
 	return args;
 }
@@ -62,6 +77,7 @@ export function contextFromEnv(
 		repo: args.repo ?? env.GITHUB_REPO,
 		cfToken: env.CLOUDFLARE_API_TOKEN,
 		cfAccountId: env.CLOUDFLARE_ACCOUNT_ID,
+		publicOrigin: env.PUBLIC_ORIGIN,
 		github:
 			GITHUB_APP_ID && GITHUB_APP_INSTALLATION_ID && GITHUB_APP_PRIVATE_KEY_B64
 				? {
@@ -73,10 +89,53 @@ export function contextFromEnv(
 	};
 }
 
+/** The lazy derivation sources the bin wires up: the adapter read through the consumer's own
+ *  Vite resolution and the wrangler config's account_id. Each runs only when an input it feeds
+ *  is still missing, so a doctor run with full flags touches neither. */
+export interface DerivationSources {
+	/** Returns { owner, repo, from } off the adapter, or null when nothing is derivable. */
+	adapterFacts: () => Promise<{ owner?: string; repo?: string; from?: string } | null>;
+	/** Returns the wrangler config's account_id, or undefined when none is declared. */
+	wranglerAccountId: () => Promise<string | undefined>;
+}
+
+/**
+ * Fill the context's missing inputs from the repo the doctor runs in: from and repo off the
+ * adapter, the account id off the wrangler config. An explicit flag or env value always wins
+ * (contextFromEnv already resolved those into ctx), each source runs lazily and only for
+ * inputs still missing, and a derivation failure leaves the input absent so its check skips
+ * with the usual remediation line instead of the doctor crashing. The API token is never
+ * derived; it stays env-only.
+ */
+export async function deriveMissingInputs(
+	ctx: Omit<DoctorContext, 'fetch' | 'readFile'>,
+	sources: DerivationSources
+): Promise<Omit<DoctorContext, 'fetch' | 'readFile'>> {
+	const out = { ...ctx };
+	if (out.from === undefined || out.repo === undefined) {
+		const facts = await sources.adapterFacts().catch(() => null);
+		if (out.from === undefined && typeof facts?.from === 'string') {
+			out.from = facts.from;
+		}
+		if (
+			out.repo === undefined &&
+			typeof facts?.owner === 'string' &&
+			typeof facts?.repo === 'string'
+		) {
+			out.repo = `${facts.owner}/${facts.repo}`;
+		}
+	}
+	if (out.cfAccountId === undefined) {
+		const accountId = await sources.wranglerAccountId().catch(() => undefined);
+		if (typeof accountId === 'string') out.cfAccountId = accountId;
+	}
+	return out;
+}
+
 /**
- * The default registry: the four local-config checks, the four Cloudflare checks, and the
- * GitHub App chain. The live send is opt-in (--send-test) and never sits here; the bin appends
- * it. A fresh array per call, so that append mutates nothing shared.
+ * The default registry: the six local checks, the four Cloudflare checks, and the GitHub App
+ * chain. The live send is opt-in (--send-test) and never sits here; the bin appends it. A
+ * fresh array per call, so that append mutates nothing shared.
  */
 export function defaultChecks(): DoctorCheck[] {
 	return [
@@ -84,6 +143,8 @@ export function defaultChecks(): DoctorCheck[] {
 		configObservability,
 		configCsrfDisable,
 		configSiteConfig,
+		configPublicOrigin,
+		configDependencyFloors,
 		emailSenderOnboarded,
 		edgeHttpsForced,
 		edgeHsts,

package/src/lib/doctor/types.ts

@@ -43,6 +43,8 @@ export interface DoctorContext {
 	cfToken?: string;
 	/** CLOUDFLARE_ACCOUNT_ID. */
 	cfAccountId?: string;
+	/** PUBLIC_ORIGIN, the env fallback when the wrangler vars carry none. */
+	publicOrigin?: string;
 	/** GITHUB_APP_ID / GITHUB_APP_INSTALLATION_ID / GITHUB_APP_PRIVATE_KEY_B64. */
 	github?: { appId: string; installationId: string; privateKeyB64: string };
 	/** Injected fetch for tests; defaults to global fetch. */

package/src/lib/doctor/wrangler-config.ts

@@ -12,6 +12,10 @@ export interface WranglerFacts {
 	authDbId?: string;
 	/** observability.enabled is true. */
 	observabilityEnabled: boolean;
+	/** vars.PUBLIC_ORIGIN, when declared; the public-origin check validates it. */
+	publicOrigin?: string;
+	/** The top-level account_id, when declared; a fallback for CLOUDFLARE_ACCOUNT_ID. */
+	accountId?: string;
 }
 
 export async function readWranglerConfig(
@@ -91,6 +95,9 @@ function factsFromJsonc(text: string): WranglerFacts {
 		observabilityEnabled: observability?.enabled === true,
 	};
 	if (typeof authDb?.database_id === 'string') facts.authDbId = authDb.database_id;
+	const vars = config.vars as { PUBLIC_ORIGIN?: unknown } | undefined;
+	if (typeof vars?.PUBLIC_ORIGIN === 'string') facts.publicOrigin = vars.PUBLIC_ORIGIN;
+	if (typeof config.account_id === 'string') facts.accountId = config.account_id;
 	return facts;
 }
 
@@ -135,6 +142,10 @@ function factsFromToml(text: string): WranglerFacts {
 			if (key === 'database_id') d1Id = str;
 		} else if (section === '[observability]' && key === 'enabled' && value.startsWith('true')) {
 			facts.observabilityEnabled = true;
+		} else if (section === '[vars]' && key === 'PUBLIC_ORIGIN' && str !== undefined) {
+			facts.publicOrigin = str;
+		} else if (section === '' && key === 'account_id' && str !== undefined) {
+			facts.accountId = str;
 		}
 	}
 	flushD1();