@glw907/cairn-cms 0.58.0 → 0.60.0

package/dist/sveltekit/content-routes.d.ts

@@ -1,11 +1,14 @@
 import { fail } from '@sveltejs/kit';
 import { type GithubKeyEnv } from '../github/credentials.js';
 import { type LinkTarget, type InboundLink } from '../content/manifest.js';
+import type { TidyConventions } from '../nav/site-config.js';
 import type { MediaEntry } from '../media/manifest.js';
 import type { MediaLibrary, MediaLibraryEntry } from '../media/library-entry.js';
 import type { UsageEntry } from '../media/usage.js';
+import { type OrphanScan } from '../media/orphan-scan.js';
 import type { RepointPlacement, AltPlacement } from '../content/media-rewrite.js';
 import type { BranchRef } from '../media/rewrite-plan.js';
+import type { BulkDeleteSkip } from '../media/bulk-delete-plan.js';
 import type { CookieJar, EventBase } from './types.js';
 import type { CairnRuntime, FrontmatterField, ResolvedPreview } from '../content/types.js';
 import type { Role } from '../auth/types.js';
@@ -114,6 +117,26 @@ export interface EditData {
      *  when one exists, applied over the top-level values); null when the site sets none, which
      *  leaves the frame rendering unstyled markup behind a hint. */
     preview: ResolvedPreview | null;
+    /** The spellcheck dictionary file for the site's configured dialect (default US English), resolved
+     *  once at compose. The editor resolves it to a real asset URL on the main thread and hands that URL
+     *  to the spellcheck Worker's `init`, the same way `mediaLibrary` is threaded in. Just the filename,
+     *  e.g. "dictionary-en-us.txt". */
+    spellcheckDictionary: string;
+    /** The committed personal-dictionary words for the site (spec 1.6): the durable, shared, reviewable
+     *  layer the editor seeds the spellcheck Worker's personal set from, the way `mediaLibrary` is handed
+     *  in. Read from the git-committed `dictionary.txt` at editor load; empty when the file is absent or
+     *  unreadable (the editor degrades to dialect-only). The dialect dictionary and the session ignore
+     *  list are the other two layers; only this one is committed. */
+    siteDictionary: string[];
+    /** The editor-tier tidy facts the review surface needs (spec 2.5): whether tidy is enabled, the model
+     *  that runs (for the head pill), and the RESOLVED conventions (the only data source for a
+     *  normalization's because-line and the local category inference). The API key never appears here, it
+     *  is a Worker secret. `enabled` false hides the Tidy control. */
+    tidy: {
+        enabled: boolean;
+        model: string;
+        conventions: TidyConventions;
+    };
 }
 /** One asset's where-used overlay, kept separate from MediaLibraryEntry so the picker's shared
  *  projection stays decoupled from the Library-only usage facts. */
@@ -135,13 +158,49 @@ export interface MediaLibraryData {
      *  redirected commit conflict never overwrite each other. */
     error: string | null;
     /** The success flash a redirected action carries: `deleted` from `?deleted=1`, `updated` from
-     *  `?updated=1`, `replaced` from `?replaced=1`, `altPropagated` from `?altPropagated=1`, null
-     *  otherwise. The component renders a polite success strip for each. */
-    flash: 'deleted' | 'updated' | 'replaced' | 'altPropagated' | null;
+     *  `?updated=1`, `replaced` from `?replaced=1`, `altPropagated` from `?altPropagated=1`,
+     *  `bulkDeleted` from `?bulkDeleted=1`, `orphansPurged` from `?orphansPurged=1`, null otherwise.
+     *  The component renders a polite success strip for each. */
+    flash: 'deleted' | 'updated' | 'replaced' | 'altPropagated' | 'bulkDeleted' | 'orphansPurged' | null;
     /** A redirected action's conflict error read from `?error=` (a commit-conflict bounce). Kept in
      *  its own slot rather than the degraded-load `error` above, so the two never collide. */
     flashError: string | null;
 }
+/** The two-tier tidy settings load (spec 2.8, Task 15). The developer tier is read-only: `enabled`,
+ *  `keyConfigured`, and `model`/`modelLabel` are deploy-time facts the editor sees but cannot change.
+ *  The editor tier is the resolved `conventions` block, written back through the save. The visibility
+ *  gate is truthful: `enabled` is true only when `tidy.enabled` is set AND the API key is present, so
+ *  the screen renders the convention list only then and the honest gate note otherwise. The key is a
+ *  Worker secret, so `keyConfigured` is the presence of `ANTHROPIC_API_KEY` in the load's env, never
+ *  the key itself; nothing here returns or logs the secret. */
+export interface SettingsData {
+    /** The truthful gate: tidy is enabled AND the API key is present. The screen renders the editor
+     *  tier only when this is true, and the honest gate note (a labelled region, no disabled controls)
+     *  otherwise. */
+    enabled: boolean;
+    /** Whether `tidy.enabled` is set in the site config, independent of the key. The gate note's
+     *  checklist reads this to show which deploy-time step is still open. */
+    tidyEnabled: boolean;
+    /** Whether the API key secret is present in the Worker env. A presence flag, never the key. */
+    keyConfigured: boolean;
+    /** The model id (a developer-tier fact, read-only on the screen). */
+    model: string;
+    /** A plain-language label for the model id ("Claude Sonnet"), so the read-only fact is not a bare
+     *  jargon token. Falls back to the raw id for an unknown model. */
+    modelLabel: string;
+    /** The resolved editor-tier conventions: every field concrete, the screen's initial control state.
+     *  Present only when the gate is open; the gate state needs no conventions. */
+    conventions: TidyConventions;
+    /** The success flash a redirected save carries (`?saved=1`). */
+    saved: boolean;
+    /** A redirected save's validation or conflict error read from `?error=`. */
+    error: string | null;
+}
+/** A refused settings save: a conflict bounce or a malformed conventions payload. Just the one-line
+ *  summary; the save commits nothing on a refusal. */
+export interface SettingsSaveFailure {
+    error: string;
+}
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
 export interface ContentEvent extends EventBase<GithubKeyEnv> {
     params: Record<string, string>;
@@ -150,10 +209,71 @@ export interface ContentEvent extends EventBase<GithubKeyEnv> {
     cookies?: CookieJar;
 }
 /** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
+/** The minimal Anthropic client surface the tidy action uses, typed structurally so the SDK's deep
+ *  generics never reach a public signature and so the integration test can inject a fake whose
+ *  `messages.create` it stubs. The real factory builds `new Anthropic({ apiKey })`, which satisfies
+ *  this shape. The success path reads only the text blocks, the model, the stop reason, and the usage
+ *  counts. */
+export interface TidyClient {
+    messages: {
+        create(body: {
+            model: string;
+            max_tokens: number;
+            system: string;
+            messages: {
+                role: 'user';
+                content: string;
+            }[];
+        }, options?: {
+            signal?: AbortSignal;
+        }): Promise<{
+            content: {
+                type: string;
+                text?: string;
+            }[];
+            model: string;
+            stop_reason: string | null;
+            usage: {
+                input_tokens: number;
+                output_tokens: number;
+            };
+        }>;
+    };
+}
 export interface ContentRoutesDeps {
     /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer.
      *  A bare string works too; the routes await whatever comes back. */
     mintToken?: (env: GithubKeyEnv) => string | Promise<string>;
+    /** Build the Anthropic client for the tidy action from the resolved API key. Defaults to the real
+     *  SDK client. Injected in tests so `messages.create` is stubbed and no network call (or real key)
+     *  is ever needed. The factory runs only after the key is read from the env, so a disabled or
+     *  unconfigured site never constructs a client. */
+    anthropic?: (opts: {
+        apiKey: string;
+    }) => TidyClient;
+    /** The tidy action's own request deadline in milliseconds, set shorter than the platform limit so a
+     *  slow model call becomes a clean retryable fail(502) rather than a platform timeout. Defaults to
+     *  {@link DEFAULT_TIDY_TIMEOUT_MS}. Overridable in tests to assert the deadline path without waiting. */
+    tidyTimeoutMs?: number;
+}
+/** The successful tidy outcome (spec 2.1): the corrected markdown, the model that produced it, and the
+ *  token usage. The diff is computed on the client (Task 12), so the server returns the plain text and
+ *  commits nothing. Admin-internal: consumed by the editor's review surface, not on the package's
+ *  sveltekit subpath, so it carries no reference page. */
+export interface TidyResult {
+    corrected: string;
+    model: string;
+    usage: {
+        input_tokens: number;
+        output_tokens: number;
+    };
+}
+/** A refused tidy: `fail(403)` on a failed CSRF check, `fail(503)` when tidy is disabled or the API
+ *  key is missing, `fail(413)` for an over-long body, `fail(502)` for a deadline overrun, abort, or
+ *  model error (all retryable), `fail(422)` for a model refusal, `fail(400)` for a malformed body. Just
+ *  the one-line summary; the action commits nothing, so a refusal can never corrupt the entry. */
+export interface TidyFailure {
+    error: string;
 }
 /** A blocked save or publish: `fail(400)` when the body links to a target absent from main. */
 export interface SaveFailure {
@@ -212,6 +332,46 @@ export interface MediaReplaceFailure {
 export interface MediaAltPropagateFailure {
     error: string;
 }
+/** The personal-dictionary add outcome (spec 1.6): the merged, canonical sorted word list after the
+ *  add landed. The client reconciles its pending-additions set against this (a word now in the list is
+ *  committed and dropped from pending). Admin-internal: exported for the editor host's reconcile, not
+ *  on the package's sveltekit subpath, so it carries no reference page. */
+export interface DictionaryAddResult {
+    words: string[];
+}
+/** A refused personal-dictionary add: `fail(403)` on a failed CSRF check, `fail(400)` on a body that
+ *  carries no valid word. The client keeps its pending additions for the session and re-attempts on
+ *  the next save, so the word is never silently dropped. Just the one-line summary. */
+export interface DictionaryAddFailure {
+    error: string;
+}
+/** A refused media bulk delete or orphan purge: `fail(503)` for the fail-closed strict-usage refusal
+ *  (the whole batch refuses) or media-off / a missing bucket binding. The per-item outcomes ride the
+ *  returned summary, not a fail. */
+export interface MediaBulkFailure {
+    error: string;
+}
+/** The bulk-delete outcome the component renders: the deleted hashes, the skipped rows from the
+ *  partition (with their reason and where-used), and any per-object R2 delete failure. Admin-internal,
+ *  not on the package subpath, so no reference page. */
+export interface MediaBulkDeleteResult {
+    deleted: string[];
+    skipped: BulkDeleteSkip[];
+    failed: {
+        hash: string;
+        error: string;
+    }[];
+}
+/** The orphan-purge outcome: the purged R2 keys, the keys skipped because their hash was claimed by a
+ *  manifest row since the scan, and any per-object delete failure. Admin-internal, no reference page. */
+export interface MediaOrphanPurgeResult {
+    purged: string[];
+    skippedClaimed: string[];
+    failed: {
+        key: string;
+        error: string;
+    }[];
+}
 /** One entry the replace preview will rewrite, enriched with its display title and permalink from the
  *  content manifest (the planner's PlannedEntry carries neither). The screen lists these as the
  *  confirm dialog's where-touched preview, and the apply re-derives its own plan rather than trusting
@@ -275,7 +435,7 @@ export interface MediaAltPreviewPlan {
  *  keys identify which guard refused. The media refusals ride here too, so the Media Library's one
  *  `form` prop carries a `?/mediaDelete`, `?/mediaUpdate`, `?/mediaReplace`, or `?/mediaAltPropagate`
  *  refusal without a second type. */
-export type ContentFormFailure = Partial<SaveFailure & DeleteRefusal & RenameFailure & MediaDeleteRefusal & MediaUpdateFailure & MediaReplaceFailure & MediaAltPropagateFailure>;
+export type ContentFormFailure = Partial<SaveFailure & DeleteRefusal & RenameFailure & MediaDeleteRefusal & MediaUpdateFailure & MediaReplaceFailure & MediaAltPropagateFailure & MediaBulkFailure & TidyFailure>;
 /** The successful upload's response (`uploadAction`). The server-owned `record` rides the editor's
  *  optimistic client state and commits with the entry at Save (the upload itself commits nothing).
  *  `reused` is true when identical bytes were already stored, so the second upload did no second put;
@@ -291,6 +451,8 @@ export declare function createContentRoutes(runtime: CairnRuntime, deps?: Conten
     indexRedirect: () => never;
     listLoad: (event: ContentEvent) => Promise<ListData>;
     mediaLibraryLoad: (event: ContentEvent) => Promise<MediaLibraryData>;
+    settingsLoad: (event: ContentEvent) => SettingsData;
+    settingsSave: (event: ContentEvent) => Promise<never>;
     createAction: (event: ContentEvent) => Promise<never>;
     editLoad: (event: ContentEvent) => Promise<EditData>;
     saveAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
@@ -302,10 +464,15 @@ export declare function createContentRoutes(runtime: CairnRuntime, deps?: Conten
     renameAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     uploadAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | UploadResult>;
     mediaDeleteAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
+    mediaBulkDelete: (event: ContentEvent) => Promise<ReturnType<typeof fail> | MediaBulkDeleteResult>;
+    mediaOrphanScan: (event: ContentEvent) => Promise<ReturnType<typeof fail> | OrphanScan>;
+    mediaPurgeOrphans: (event: ContentEvent) => Promise<ReturnType<typeof fail> | MediaOrphanPurgeResult>;
     mediaUpdateAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     mediaReplacePreview: (event: ContentEvent) => Promise<ReturnType<typeof fail> | MediaReplacePreviewPlan>;
     mediaReplaceApply: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     mediaAltPreview: (event: ContentEvent) => Promise<ReturnType<typeof fail> | MediaAltPreviewPlan>;
     mediaAltApply: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
+    addDictionaryWord: (event: ContentEvent) => Promise<ReturnType<typeof fail> | DictionaryAddResult>;
+    tidyAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | TidyResult>;
     mintToken: (env: GithubKeyEnv) => string | Promise<string>;
 };