@glw907/cairn-cms 0.58.0 → 0.59.0

package/dist/sveltekit/content-routes.js

@@ -26,8 +26,11 @@ import { r2Store } from '../media/store.js';
 import { parseMediaEntries, parseMediaManifest, upsertMediaEntry, removeMediaEntry, serializeMediaManifest } from '../media/manifest.js';
 import { mediaLibraryEntry } from '../media/library-entry.js';
 import { buildUsageIndex } from '../media/usage.js';
+import { runReconcile, MEDIA_KEY_RE } from '../media/reconcile.js';
+import { buildOrphanScan } from '../media/orphan-scan.js';
 import { repointMediaRef, fillAltForHash } from '../content/media-rewrite.js';
 import { planMediaRewrite } from '../media/rewrite-plan.js';
+import { planBulkDelete } from '../media/bulk-delete-plan.js';
 /** Resolve the effective preview for one concept: its `byConcept` override wins per key, with
  *  nullish coalescing so an override key that is present but undefined keeps the top-level value.
  *  Stylesheets are always shared, and the `byConcept` map never reaches the client. */
@@ -233,6 +236,10 @@ export function createContentRoutes(runtime, deps = {}) {
             flash = 'replaced';
         else if (event.url.searchParams.get('altPropagated') === '1')
             flash = 'altPropagated';
+        else if (event.url.searchParams.get('bulkDeleted') === '1')
+            flash = 'bulkDeleted';
+        else if (event.url.searchParams.get('orphansPurged') === '1')
+            flash = 'orphansPurged';
         const flashError = event.url.searchParams.get('error');
         let token;
         try {
@@ -1073,6 +1080,245 @@ export function createContentRoutes(runtime, deps = {}) {
         log.info('media.deleted', { editor: editor.email, hash });
         throw redirect(303, '/admin/media?deleted=1');
     }
+    /** Bulk safe-delete a multi-select of committed media assets. This is mediaDeleteAction extended to
+     *  many items, with the same safety primitives and one rule that defines the batch: the gate is ONE
+     *  shared strict cross-branch usage index built per batch, never N per-item reads (N strict reads
+     *  would blow the workerd connection budget at many open branches). The fail-closed posture is for
+     *  the WHOLE batch: if that single strict index cannot complete, the action refuses everything and
+     *  commits nothing, rather than risk deleting bytes a branch still references.
+     *
+     *  Skip-and-report, never force: the pure planBulkDelete partitions the selection against the strict
+     *  index into deletable (no usage row, a committed manifest row exists), skipped-still-referenced (a
+     *  usage row, carried for the where-used), and skipped-uncommitted (no manifest row). An in-use item
+     *  is skipped and reported, never bulk-force-deleted; forced in-use deletion stays the single-item
+     *  typed-slug path.
+     *
+     *  The order is load-bearing, mirroring single delete: ONE atomic commit removes every deletable row
+     *  FIRST, then the R2 objects are deleted (commit-row-then-delete-R2). A failure after the commit
+     *  leaves bytes with no row (a benign orphan) rather than a row pointing at deleted bytes. Each R2
+     *  delete is best-effort and batch-resilient: a per-object error is reported in `failed` and never
+     *  aborts the rest of the batch. The result is an itemized 207-style summary the component renders
+     *  (deleted / skipped with reasons / failed); there is no success redirect. */
+    async function mediaBulkDelete(event) {
+        const editor = requireSession(event);
+        const token = await mintToken(event.platform?.env ?? {});
+        // Read the selected hashes from the form. Accept the repeated `hash` field, falling back to a JSON
+        // `hashes` array. Each value must match the 16-hex content-hash grammar; a malformed value is
+        // dropped silently rather than surfaced as a skip (it was never a real selection).
+        const form = await event.request.formData();
+        let raw = form.getAll('hash').map(String);
+        if (raw.length === 0) {
+            const json = form.get('hashes');
+            if (typeof json === 'string') {
+                try {
+                    const parsed = JSON.parse(json);
+                    if (Array.isArray(parsed))
+                        raw = parsed.map(String);
+                }
+                catch {
+                    raw = [];
+                }
+            }
+        }
+        const selected = raw.filter((h) => MEDIA_HASH_RE.test(h));
+        // Read the fresh media manifest (the deletable rows come from here, by hash).
+        const manifest = parseMediaManifest(parseMediaJson(await readRaw(runtime.backend, runtime.mediaManifestPath, token)));
+        // Resolve the R2 bucket before any write, so a media-off site or a missing binding refuses before
+        // the commit, exactly like single delete.
+        const resolved = runtime.resolvedAssets;
+        if (!resolved.enabled) {
+            return fail(503, { error: 'Media is not enabled for this site.' });
+        }
+        const platformEnv = event.platform?.env ?? {};
+        const rawBucket = platformEnv[resolved.bucketBinding];
+        if (!rawBucket) {
+            return fail(503, { error: 'The media bucket is not bound.' });
+        }
+        const store = r2Store(rawBucket);
+        // THE fail-closed gate for the whole batch: one shared strict usage index. STRICT mode rethrows a
+        // branch-read failure, so a transient branch read failing refuses the whole batch rather than
+        // mistaking a still-referenced asset for an orphan. Build exactly one index, never one per item.
+        let index;
+        try {
+            index = await buildUsageIndex(runtime.backend, token, runtime.concepts, await readManifest(token), { strict: true });
+        }
+        catch {
+            return fail(503, { error: 'Could not verify where these assets are used. Try again.' });
+        }
+        // The pure partition: membership in the fresh strict index is the gate, never the display count.
+        const plan = planBulkDelete(selected, index, manifest);
+        // An all-skipped or empty batch is a no-op success: nothing committed, nothing deleted.
+        if (plan.deletable.length === 0) {
+            return { deleted: [], skipped: plan.skipped, failed: [] };
+        }
+        // ONE atomic commit removing EVERY deletable row, folded over removeMediaEntry.
+        let next = manifest;
+        for (const hash of plan.deletable)
+            next = removeMediaEntry(next, hash);
+        const commitFields = { concept: 'media', id: 'bulk', editor: editor.email };
+        try {
+            await commitFiles(runtime.backend, [{ path: runtime.mediaManifestPath, content: serializeMediaManifest(next) }], { message: `Delete ${plan.deletable.length} media assets`, author: { name: editor.displayName, email: editor.email } }, token);
+            log.info('commit.succeeded', commitFields);
+        }
+        catch (err) {
+            commitFailure(commitFields, err, '/admin/media', 'The media manifest changed since you opened it. Reload and try again.');
+        }
+        // THEN delete each deletable hash's R2 object (the load-bearing order, see the docstring). Best
+        // effort and batch-resilient: a thrown key derivation or a delete error is reported in `failed`
+        // and the loop continues. An absent object is a no-op (the R2 contract).
+        const deleted = [];
+        const failed = [];
+        for (const hash of plan.deletable) {
+            try {
+                const row = manifest[hash];
+                await store.delete(r2Key(row.hash, row.ext));
+                deleted.push(hash);
+            }
+            catch (err) {
+                failed.push({ hash, error: err instanceof Error ? err.message : String(err) });
+            }
+        }
+        log.info('media.bulk_deleted', { editor: editor.email, deleted: deleted.length, skipped: plan.skipped.length });
+        return { deleted, skipped: plan.skipped, failed };
+    }
+    /** The on-demand orphan scan: a read-only reconcile of stored R2 bytes against the manifest, joined
+     *  with one strict cross-branch usage index for the broken-reference where-used. It runs only when
+     *  requested, never on the loaded index, because it is heavier than the load path: a full R2 list
+     *  plus a reconcile pass on top of the strict usage build.
+     *
+     *  Detection-time fail-closed: BOTH the reconcile and the strict usage build run inside one
+     *  try/catch, and any throw refuses the whole scan with fail(503) rather than returning a partial
+     *  result. The reconcile must not run on a half-listed bucket: a truncated R2 list would call
+     *  still-stored bytes orphaned. The strict usage build must not run on a half-read branch set: an
+     *  unread branch would make a branch-referenced asset look orphaned. A wrong orphan verdict here
+     *  feeds the irreversible purge, so the scan refuses rather than risk it.
+     *
+     *  The result is the OrphanScan projection: orphanedBytes (stored keys with no manifest row, the
+     *  purge surface) and brokenRefs (manifest rows whose bytes are gone, read-only, shown with their
+     *  where-used so an operator can re-ingest rather than purge a still-referenced record). */
+    async function mediaOrphanScan(event) {
+        requireSession(event);
+        const token = await mintToken(event.platform?.env ?? {});
+        // Resolve the R2 binding. The reconcile lists the raw bucket directly, so keep the raw binding;
+        // the MediaStore seam carries no list. A media-off site or a missing binding refuses the scan.
+        const resolved = runtime.resolvedAssets;
+        if (!resolved.enabled) {
+            return fail(503, { error: 'Media is not enabled for this site.' });
+        }
+        const platformEnv = event.platform?.env ?? {};
+        const rawBucket = platformEnv[resolved.bucketBinding];
+        if (!rawBucket) {
+            return fail(503, { error: 'The media bucket is not bound.' });
+        }
+        // Read the fresh media manifest for the reconcile's manifest side.
+        const manifest = parseMediaManifest(parseMediaJson(await readRaw(runtime.backend, runtime.mediaManifestPath, token)));
+        // THE detection-time fail-closed surface. The reconcile (an R2 list that must complete in full)
+        // and the strict usage build (a branch read that must complete in full) are both unsafe to use
+        // partially, so either throwing refuses the scan. A wrong orphan verdict from a partial read here
+        // would feed the irreversible purge.
+        let reconcile;
+        let index;
+        try {
+            reconcile = await runReconcile(rawBucket, manifest);
+            index = await buildUsageIndex(runtime.backend, token, runtime.concepts, await readManifest(token), { strict: true });
+        }
+        catch {
+            return fail(503, { error: 'Could not check where files are used, so the scan was not run. Try again.' });
+        }
+        return buildOrphanScan(reconcile, manifest, index);
+    }
+    /** Purge orphaned R2 bytes: the one IRREVERSIBLE media action. Raw object bytes live only in R2, not
+     *  in git, so a purged orphan cannot be recovered the way a deleted manifest row can be reverted in
+     *  history. The whole action is built around that fact.
+     *
+     *  The typed-count confirm is the never-bypassable gate, the analogue of single delete's typed-slug
+     *  check. The form's `confirm` must equal the count of selected keys (the approved rev.2 mockup's
+     *  "Type N to purge these files for good"); an empty selection or a mismatched count deletes nothing.
+     *
+     *  Re-derive fresh is the safety crux. The selection came from an earlier scan, so the action does
+     *  NOT trust it: the purge keys are client-posted, so the server cannot assume they came from a fresh
+     *  scan. It reads the current media manifest AND rebuilds ONE strict cross-branch usage index, then
+     *  for each selected key parses the hash from the key grammar. A key that does not match the grammar
+     *  was never a real orphan key and is dropped silently. A key whose hash now has a manifest row OR is
+     *  referenced on any open cairn/* branch survived the scan window (it was claimed by a row, or a
+     *  draft started referencing those bytes), so it is skipped into skippedClaimed and its bytes survive.
+     *  Only a key whose hash is STILL absent from both is purged. This closes the TOCTOU between scan and
+     *  purge that could otherwise irreversibly delete a live draft's bytes.
+     *
+     *  Like the scan and the bulk delete, the strict index build is the fail-closed gate: a branch read
+     *  that throws refuses the whole batch with fail(503) rather than mistaking an unverifiable reference
+     *  for an absent one. The index is built exactly once for the batch, never once per key.
+     *
+     *  There is no commit. An orphan by definition has no manifest row to remove, so the purge deletes
+     *  the R2 object directly. Each delete is best-effort and batch-resilient: a per-object error is
+     *  reported in `failed` and the loop continues; an absent object is a no-op (the R2 contract). */
+    async function mediaPurgeOrphans(event) {
+        const editor = requireSession(event);
+        const token = await mintToken(event.platform?.env ?? {});
+        // Resolve the R2 binding, the same media-off / missing-binding refusals as the scan. The purge
+        // deletes through the MediaStore seam, so wrap the raw binding.
+        const resolved = runtime.resolvedAssets;
+        if (!resolved.enabled) {
+            return fail(503, { error: 'Media is not enabled for this site.' });
+        }
+        const platformEnv = event.platform?.env ?? {};
+        const rawBucket = platformEnv[resolved.bucketBinding];
+        if (!rawBucket) {
+            return fail(503, { error: 'The media bucket is not bound.' });
+        }
+        const store = r2Store(rawBucket);
+        // Read the selected R2 keys and the typed confirm.
+        const form = await event.request.formData();
+        const keys = form.getAll('key').map(String);
+        const confirm = String(form.get('confirm') ?? '');
+        // The irreversible gate: the confirm must equal the selected count, and the set must be non-empty.
+        // A mismatch or an empty set refuses and deletes NOTHING.
+        if (keys.length === 0 || confirm !== String(keys.length)) {
+            return fail(400, { error: 'Type the number of files to confirm the purge.' });
+        }
+        // Re-derive fresh against the current manifest, so a key claimed since the scan is never purged.
+        const manifest = parseMediaManifest(parseMediaJson(await readRaw(runtime.backend, runtime.mediaManifestPath, token)));
+        // THE fail-closed gate for the whole batch: one shared strict cross-branch usage index, symmetric
+        // with the scan and the bulk delete. STRICT mode rethrows a branch-read failure, so a transient
+        // branch read refuses the irreversible purge rather than letting a possibly-referenced byte be
+        // treated as a true orphan. Build exactly one index, never one per key.
+        let index;
+        try {
+            index = await buildUsageIndex(runtime.backend, token, runtime.concepts, await readManifest(token), { strict: true });
+        }
+        catch {
+            return fail(503, { error: 'Could not verify where these files are used. Try again.' });
+        }
+        const purged = [];
+        const skippedClaimed = [];
+        const failed = [];
+        for (const key of keys) {
+            const hash = MEDIA_KEY_RE.exec(key)?.[1];
+            // A key that does not match the grammar was never a real orphan key: drop it silently.
+            if (hash === undefined)
+                continue;
+            // A hash that now has a manifest row was claimed since the scan: its bytes are a live asset now.
+            if (manifest[hash]) {
+                skippedClaimed.push(key);
+                continue;
+            }
+            // A hash referenced on any open cairn/* branch backs an in-progress draft: skip it claimed too.
+            if (index.has(hash)) {
+                skippedClaimed.push(key);
+                continue;
+            }
+            // Still orphaned: delete the object directly. No commit, there is no manifest row.
+            try {
+                await store.delete(key);
+                purged.push(key);
+            }
+            catch (err) {
+                failed.push({ key, error: err instanceof Error ? err.message : String(err) });
+            }
+        }
+        log.info('media.orphans_purged', { editor: editor.email, purged: purged.length });
+        return { purged, skippedClaimed, failed };
+    }
     /** Edit a committed asset's metadata: its display name, slug, and default alt. A single media.json
      *  row commit, with NO reference rewrite: the resolver and the delivery route key on the hash, so a
      *  rename never breaks an existing `media:` reference. The default alt is the asset's value for the
@@ -1425,7 +1671,7 @@ export function createContentRoutes(runtime, deps = {}) {
         }
         throw redirect(303, '/admin/media?altPropagated=1');
     }
-    return { layoutLoad, indexRedirect, listLoad, mediaLibraryLoad, createAction, editLoad, saveAction, publishAction, publishAllAction, discardAction, deleteAction, listDeleteAction, renameAction, uploadAction, mediaDeleteAction, mediaUpdateAction, mediaReplacePreview, mediaReplaceApply, mediaAltPreview, mediaAltApply, mintToken };
+    return { layoutLoad, indexRedirect, listLoad, mediaLibraryLoad, createAction, editLoad, saveAction, publishAction, publishAllAction, discardAction, deleteAction, listDeleteAction, renameAction, uploadAction, mediaDeleteAction, mediaBulkDelete, mediaOrphanScan, mediaPurgeOrphans, mediaUpdateAction, mediaReplacePreview, mediaReplaceApply, mediaAltPreview, mediaAltApply, mintToken };
 }
 /** The cap, in characters, on the stored alt text. The human fields are display copy, not content,
  *  so a generous cap rejects only abuse-scale input. */

package/dist/sveltekit/index.d.ts

@@ -3,7 +3,7 @@ export { createAuthRoutes, type AuthRoutesConfig, type RequestResult } from './a
 export { createEditorRoutes } from './editors-routes.js';
 export { createContentRoutes } from './content-routes.js';
 export { createMediaRoute } from './media-route.js';
-export type { NavConcept, LayoutData, EntrySummary, ListData, EditData, MediaUsageInfo, MediaLibraryData, ContentEvent, ContentRoutesDeps, SaveFailure, DeleteRefusal, RenameFailure, MediaDeleteRefusal, MediaUpdateFailure, MediaReplaceFailure, MediaAltPropagateFailure, ContentFormFailure, UploadResult, } from './content-routes.js';
+export type { NavConcept, LayoutData, EntrySummary, ListData, EditData, MediaUsageInfo, MediaLibraryData, ContentEvent, ContentRoutesDeps, SaveFailure, DeleteRefusal, RenameFailure, MediaDeleteRefusal, MediaUpdateFailure, MediaReplaceFailure, MediaAltPropagateFailure, MediaBulkFailure, ContentFormFailure, UploadResult, } from './content-routes.js';
 export { createNavRoutes } from './nav-routes.js';
 export type { NavLoadData, NavPageOption, NavRoutesDeps } from './nav-routes.js';
 export { parseAdminPath, type AdminView } from './admin-dispatch.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glw907/cairn-cms",
-  "version": "0.58.0",
+  "version": "0.59.0",
   "description": "Embedded, magic-link, GitHub-committing CMS for SvelteKit/Cloudflare sites.",
   "type": "module",
   "sideEffects": [