@glw907/cairn-cms 0.59.0 → 0.60.0

package/dist/nav/site-config.js

@@ -59,6 +59,114 @@ export function validateNavTree(value, maxDepth) {
     }
     return walk(value, 1);
 }
+/** The default tidy model when a site sets none: Sonnet, the judgment floor for a light copy-edit. */
+export const DEFAULT_TIDY_MODEL = 'claude-sonnet-4-6';
+/** The resting tidy convention set: Fixes on, every style and advanced toggle off. */
+export function defaultTidyConventions() {
+    return { fixes: true, enDashRanges: false, smartQuotes: false, brandCaps: false };
+}
+/**
+ * Resolve a partial conventions config (from the YAML) into the concrete TidyConventions the prompt
+ * builder consumes. An absent field falls to its default: Fixes on, the style and advanced toggles
+ * off. A multi-position toggle stays undefined (off) unless the config names a variant.
+ */
+export function resolveTidyConventions(partial) {
+    const base = defaultTidyConventions();
+    if (partial === undefined)
+        return base;
+    return {
+        fixes: partial.fixes ?? base.fixes,
+        oxfordComma: partial.oxfordComma,
+        numberStyle: partial.numberStyle,
+        measurements: partial.measurements,
+        percent: partial.percent,
+        emDash: partial.emDash,
+        enDashRanges: partial.enDashRanges ?? base.enDashRanges,
+        ellipsis: partial.ellipsis,
+        timeFormat: partial.timeFormat,
+        smartQuotes: partial.smartQuotes ?? base.smartQuotes,
+        brandCaps: partial.brandCaps ?? base.brandCaps,
+    };
+}
+// The allowed values for each multi-position style toggle, the single source the validator checks an
+// untrusted settings payload against. A value outside its list is rejected, so the committed YAML can
+// only ever carry a known variant the prompt builder understands.
+const OXFORD_COMMA_VALUES = ['always', 'complex-only', 'never'];
+const NUMBER_STYLE_VALUES = ['under-ten', 'under-hundred', 'always-numerals'];
+const MEASUREMENTS_VALUES = ['abbreviate', 'spell-out'];
+const PERCENT_VALUES = ['sign', 'word'];
+const EM_DASH_VALUES = ['spaced', 'closed'];
+const ELLIPSIS_VALUES = ['single-char', 'three-dots'];
+const TIME_FORMAT_VALUES = ['5 PM', '5pm', '5 p.m.'];
+export class TidyConventionsError extends Error {
+    /** A malformed settings payload maps to the same diagnostic as a malformed config. */
+    conditionId = 'config.site-config-invalid';
+    constructor(message) {
+        super(message);
+        this.name = 'TidyConventionsError';
+    }
+}
+/**
+ * Validate and normalize an untrusted conventions object (from the settings form) into a concrete
+ * TidyConventions. This input is committed to the repo, so every field is bounded to its known set:
+ * a boolean toggle must be a boolean, and a multi-position toggle must be one of its listed variants
+ * or absent (off). An unknown key is dropped rather than carried, so the committed block can never
+ * grow a junk key. Throws TidyConventionsError on a value outside its allowed set.
+ */
+export function validateTidyConventions(value) {
+    if (typeof value !== 'object' || value === null || Array.isArray(value)) {
+        throw new TidyConventionsError('Tidy conventions must be an object');
+    }
+    const input = value;
+    function bool(key, fallback) {
+        const v = input[key];
+        if (v === undefined)
+            return fallback;
+        if (typeof v !== 'boolean')
+            throw new TidyConventionsError(`${key} must be true or false`);
+        return v;
+    }
+    function variant(key, allowed) {
+        const v = input[key];
+        if (v === undefined || v === null || v === false)
+            return undefined;
+        if (typeof v !== 'string' || !allowed.includes(v)) {
+            throw new TidyConventionsError(`${key} must be one of ${allowed.join(', ')}`);
+        }
+        return v;
+    }
+    return {
+        fixes: bool('fixes', true),
+        oxfordComma: variant('oxfordComma', OXFORD_COMMA_VALUES),
+        numberStyle: variant('numberStyle', NUMBER_STYLE_VALUES),
+        measurements: variant('measurements', MEASUREMENTS_VALUES),
+        percent: variant('percent', PERCENT_VALUES),
+        emDash: variant('emDash', EM_DASH_VALUES),
+        enDashRanges: bool('enDashRanges', false),
+        ellipsis: variant('ellipsis', ELLIPSIS_VALUES),
+        timeFormat: variant('timeFormat', TIME_FORMAT_VALUES),
+        smartQuotes: bool('smartQuotes', false),
+        brandCaps: bool('brandCaps', false),
+    };
+}
+/** The dialect string when a site sets none: US English, the only dictionary that ships today. */
+export const DEFAULT_DIALECT = 'en-US';
+// The dialect-to-dictionary map. Only US English ships now; a new locale adds one entry here and one
+// committed dictionary file under spellcheck-assets, and the rest of the chain (the main-thread URL
+// resolution, the worker fetch) needs no change. An unknown or unset dialect falls back to the default
+// rather than throwing, so a typo or a future-locale config never breaks the editor.
+const DICTIONARY_BY_DIALECT = {
+    'en-US': 'dictionary-en-us.txt',
+};
+/**
+ * The dictionary asset file for a site's configured dialect, defaulting to US English. The main thread
+ * resolves this filename to a real URL (the spike's out-of-bundle asset) and hands it to the Worker in
+ * the `init` message; the Worker never reads config. An unknown dialect falls back to the default file.
+ */
+export function dictionaryFileForDialect(dialect) {
+    const key = dialect ?? DEFAULT_DIALECT;
+    return DICTIONARY_BY_DIALECT[key] ?? DICTIONARY_BY_DIALECT[DEFAULT_DIALECT];
+}
 export class SiteConfigError extends Error {
     /** The registered diagnostic condition a malformed site config maps to (mirrors CairnError). */
     conditionId = 'config.site-config-invalid';
@@ -104,3 +212,27 @@ export function setMenu(raw, name, tree) {
     doc.setIn(['menus', name], tree);
     return doc.toString();
 }
+/**
+ * Write the editor-tier tidy conventions into the YAML site-config text and reserialize, preserving
+ * every other top-level key and the file's comments and key order (parseDocument round-trips both,
+ * the same machinery setMenu uses). Only the `tidy.conventions` block is touched: the developer-tier
+ * `tidy.enabled` and `tidy.model` are read-only in the screen, so this leaves them as they are and a
+ * save can never silently flip the deploy-time facts. A convention whose value is undefined (a
+ * collapsed multi-position toggle, off) is dropped, so the committed block carries only the on
+ * toggles, the same shape `resolveTidyConventions` fills the defaults back from on read.
+ */
+export function setTidy(raw, conventions) {
+    const doc = parseDocument(raw);
+    if (doc.get('siteName') === undefined) {
+        throw new SiteConfigError('Site config must be a mapping with a siteName');
+    }
+    // Drop undefined-valued keys (a collapsed multi-position toggle) so the committed YAML carries only
+    // the enabled conventions; the resolver fills the rest back from defaults on read.
+    const block = {};
+    for (const [key, value] of Object.entries(conventions)) {
+        if (value !== undefined)
+            block[key] = value;
+    }
+    doc.setIn(['tidy', 'conventions'], block);
+    return doc.toString();
+}

package/dist/sveltekit/admin-dispatch.d.ts

@@ -19,6 +19,8 @@ export type AdminView = {
     view: 'nav';
 } | {
     view: 'media';
+} | {
+    view: 'settings';
 };
 /**
  * Parse a raw `URL.pathname` (the caller passes `event.url.pathname`, never a SvelteKit rest

package/dist/sveltekit/admin-dispatch.js

@@ -3,8 +3,8 @@ import { isValidId } from '../content/ids.js';
 /**
  * Fixed first segments that never resolve as concepts. The engine only allows posts and pages
  * today, so no collision is possible, but the parser does not depend on that: a reserved
- * segment wins before concept lookup. `settings` has no view yet; AdminLayout already links
- * the sidebar to /admin/settings, so the URL is spoken for.
+ * segment wins before concept lookup. `settings`, `nav`, and `media` are decided as views below,
+ * so they are not in this no-view set.
  */
 const RESERVED_SEGMENTS = new Set(['login', 'auth', 'editors', 'nav', 'settings']);
 /**
@@ -47,6 +47,10 @@ export function parseAdminPath(pathname, concepts) {
         // concept), which is the correct shape.
         if (head === 'media')
             return { view: 'media' };
+        // settings is its own view, a peer of editors and nav. /admin/settings/<anything> 404s naturally
+        // (the two-segment branch never matches settings), which is the correct shape.
+        if (head === 'settings')
+            return { view: 'settings' };
         if (RESERVED_SEGMENTS.has(head))
             return null;
         const concept = findConcept(concepts, head);

package/dist/sveltekit/cairn-admin.d.ts

@@ -1,4 +1,4 @@
-import { type ContentRoutesDeps, type LayoutData, type ListData, type EditData, type MediaLibraryData } from './content-routes.js';
+import { type ContentRoutesDeps, type LayoutData, type ListData, type EditData, type MediaLibraryData, type SettingsData } from './content-routes.js';
 import { type NavLoadData } from './nav-routes.js';
 import type { AuthBranding, SendMagicLink } from '../email.js';
 import type { AuthEnv, Editor } from '../auth/types.js';
@@ -21,6 +21,11 @@ export interface CairnAdminDeps {
     branding?: AuthBranding;
     send?: SendMagicLink;
     mintToken?: ContentRoutesDeps['mintToken'];
+    /** Build the Anthropic client for the tidy action. Forwarded to the content routes; a site that
+     *  enables tidy injects a stub here to avoid a real network call. Defaults to the real SDK client. */
+    anthropic?: ContentRoutesDeps['anthropic'];
+    /** The tidy action's own request deadline in milliseconds. Forwarded to the content routes. */
+    tidyTimeoutMs?: ContentRoutesDeps['tidyTimeoutMs'];
 }
 /**
  * One admin view's data, discriminated for the admin page component's switch. The public
@@ -65,6 +70,10 @@ export type AdminData = {
     view: 'media';
     layout: LayoutData;
     page: MediaLibraryData;
+} | {
+    view: 'settings';
+    layout: LayoutData;
+    page: SettingsData;
 };
 export declare function createCairnAdmin(runtime: CairnRuntime, deps?: CairnAdminDeps): {
     load: (event: AdminEvent) => Promise<AdminData>;
@@ -74,10 +83,13 @@ export declare function createCairnAdmin(runtime: CairnRuntime, deps?: CairnAdmi
         logout: (event: AdminEvent) => Promise<never>;
         create: (event: AdminEvent) => Promise<never>;
         save: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
+        saveSettings: (event: AdminEvent) => Promise<never>;
         upload: (event: AdminEvent) => Promise<import("./content-routes.js").UploadResult | import("@sveltejs/kit").ActionFailure<unknown>>;
         publish: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
         discard: (event: AdminEvent) => Promise<never>;
         rename: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
+        addDictionaryWord: (event: AdminEvent) => Promise<import("./content-routes.js").DictionaryAddResult | import("@sveltejs/kit").ActionFailure<unknown>>;
+        tidy: (event: AdminEvent) => Promise<import("./content-routes.js").TidyResult | import("@sveltejs/kit").ActionFailure<unknown>>;
         delete: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
         mediaDelete: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;
         mediaUpdate: (event: AdminEvent) => Promise<import("@sveltejs/kit").ActionFailure<unknown>>;

package/dist/sveltekit/cairn-admin.js

@@ -19,7 +19,11 @@ export function createCairnAdmin(runtime, deps = {}) {
         replyTo: runtime.sender.replyTo,
     };
     const auth = createAuthRoutes({ branding, send: deps.send });
-    const content = createContentRoutes(runtime, { mintToken: deps.mintToken });
+    const content = createContentRoutes(runtime, {
+        mintToken: deps.mintToken,
+        anthropic: deps.anthropic,
+        tidyTimeoutMs: deps.tidyTimeoutMs,
+    });
     const editors = createEditorRoutes();
     // The nav surface exists only when the site configures a menu; without one its view is a 404.
     const nav = runtime.navMenu ? createNavRoutes(runtime, { mintToken: deps.mintToken }) : null;
@@ -82,6 +86,11 @@ export function createCairnAdmin(runtime, deps = {}) {
                 const [layout, page] = await Promise.all([content.layoutLoad(delegated), content.mediaLibraryLoad(delegated)]);
                 return { view: 'media', layout, page };
             }
+            case 'settings': {
+                const delegated = contentEvent(event, {});
+                const [layout, page] = await Promise.all([content.layoutLoad(delegated), content.settingsLoad(delegated)]);
+                return { view: 'settings', layout, page };
+            }
         }
     }
     /** Wrap a delegate in the parse-and-check every action shares: parse the pathname exactly
@@ -97,9 +106,9 @@ export function createCairnAdmin(runtime, deps = {}) {
         };
     }
     // The topbar posts publishAll from every authed admin page; login and confirm may not.
-    const authedViews = ['list', 'edit', 'editors', 'nav', 'media'];
+    const authedViews = ['list', 'edit', 'editors', 'nav', 'media', 'settings'];
     // An editor signs out from wherever they are, so logout accepts any parsed view.
-    const anyView = ['index', 'login', 'confirm', 'list', 'edit', 'editors', 'nav', 'media'];
+    const anyView = ['index', 'login', 'confirm', 'list', 'edit', 'editors', 'nav', 'media', 'settings'];
     /** The full admin action vocabulary, one named async function per action, so a site's
      *  catch-all route exports `admin.actions` directly. Each wrapper stays thin: parse,
      *  validate the view, synthesize the params the wrapped action reads, delegate. The
@@ -116,10 +125,20 @@ export function createCairnAdmin(runtime, deps = {}) {
                 throw error(404, 'Not found');
             return nav.navSave(contentEvent(event, {}));
         }),
+        // The tidy settings save (spec 2.8, Task 15): the editor commits the per-convention block to the
+        // committed YAML. Gated to the settings view, so it 404s elsewhere; the action itself 404s again
+        // when tidy is off, the server half of the truthful visibility gate.
+        saveSettings: viewAction(['settings'], (event) => content.settingsSave(contentEvent(event, {}))),
         upload: viewAction(['edit'], (event, view) => content.uploadAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
         publish: viewAction(['edit'], (event, view) => content.publishAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
         discard: viewAction(['edit'], (event, view) => content.discardAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
         rename: viewAction(['edit'], (event, view) => content.renameAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+        // The personal-dictionary add (spec 1.6): the editor commits its pending add-to-dictionary words at
+        // save time. Gated to the edit view, where the spellcheck surface lives, so it 404s elsewhere.
+        addDictionaryWord: viewAction(['edit'], (event, view) => content.addDictionaryWord(contentEvent(event, { concept: view.concept.id, id: view.id }))),
+        // Tidy (spec 2.1): the editor posts the buffer to `?/tidy` for a light LLM copy-edit. Gated to the
+        // edit view, where the review surface lives, so it 404s elsewhere.
+        tidy: viewAction(['edit'], (event, view) => content.tidyAction(contentEvent(event, { concept: view.concept.id, id: view.id }))),
         delete: viewAction(['edit', 'list'], (event, view) => view.view === 'edit'
             ? content.deleteAction(contentEvent(event, { concept: view.concept.id, id: view.id }))
             : content.listDeleteAction(contentEvent(event, { concept: view.concept.id }))),

package/dist/sveltekit/content-routes.d.ts

@@ -1,6 +1,7 @@
 import { fail } from '@sveltejs/kit';
 import { type GithubKeyEnv } from '../github/credentials.js';
 import { type LinkTarget, type InboundLink } from '../content/manifest.js';
+import type { TidyConventions } from '../nav/site-config.js';
 import type { MediaEntry } from '../media/manifest.js';
 import type { MediaLibrary, MediaLibraryEntry } from '../media/library-entry.js';
 import type { UsageEntry } from '../media/usage.js';
@@ -116,6 +117,26 @@ export interface EditData {
      *  when one exists, applied over the top-level values); null when the site sets none, which
      *  leaves the frame rendering unstyled markup behind a hint. */
     preview: ResolvedPreview | null;
+    /** The spellcheck dictionary file for the site's configured dialect (default US English), resolved
+     *  once at compose. The editor resolves it to a real asset URL on the main thread and hands that URL
+     *  to the spellcheck Worker's `init`, the same way `mediaLibrary` is threaded in. Just the filename,
+     *  e.g. "dictionary-en-us.txt". */
+    spellcheckDictionary: string;
+    /** The committed personal-dictionary words for the site (spec 1.6): the durable, shared, reviewable
+     *  layer the editor seeds the spellcheck Worker's personal set from, the way `mediaLibrary` is handed
+     *  in. Read from the git-committed `dictionary.txt` at editor load; empty when the file is absent or
+     *  unreadable (the editor degrades to dialect-only). The dialect dictionary and the session ignore
+     *  list are the other two layers; only this one is committed. */
+    siteDictionary: string[];
+    /** The editor-tier tidy facts the review surface needs (spec 2.5): whether tidy is enabled, the model
+     *  that runs (for the head pill), and the RESOLVED conventions (the only data source for a
+     *  normalization's because-line and the local category inference). The API key never appears here, it
+     *  is a Worker secret. `enabled` false hides the Tidy control. */
+    tidy: {
+        enabled: boolean;
+        model: string;
+        conventions: TidyConventions;
+    };
 }
 /** One asset's where-used overlay, kept separate from MediaLibraryEntry so the picker's shared
  *  projection stays decoupled from the Library-only usage facts. */
@@ -145,6 +166,41 @@ export interface MediaLibraryData {
      *  its own slot rather than the degraded-load `error` above, so the two never collide. */
     flashError: string | null;
 }
+/** The two-tier tidy settings load (spec 2.8, Task 15). The developer tier is read-only: `enabled`,
+ *  `keyConfigured`, and `model`/`modelLabel` are deploy-time facts the editor sees but cannot change.
+ *  The editor tier is the resolved `conventions` block, written back through the save. The visibility
+ *  gate is truthful: `enabled` is true only when `tidy.enabled` is set AND the API key is present, so
+ *  the screen renders the convention list only then and the honest gate note otherwise. The key is a
+ *  Worker secret, so `keyConfigured` is the presence of `ANTHROPIC_API_KEY` in the load's env, never
+ *  the key itself; nothing here returns or logs the secret. */
+export interface SettingsData {
+    /** The truthful gate: tidy is enabled AND the API key is present. The screen renders the editor
+     *  tier only when this is true, and the honest gate note (a labelled region, no disabled controls)
+     *  otherwise. */
+    enabled: boolean;
+    /** Whether `tidy.enabled` is set in the site config, independent of the key. The gate note's
+     *  checklist reads this to show which deploy-time step is still open. */
+    tidyEnabled: boolean;
+    /** Whether the API key secret is present in the Worker env. A presence flag, never the key. */
+    keyConfigured: boolean;
+    /** The model id (a developer-tier fact, read-only on the screen). */
+    model: string;
+    /** A plain-language label for the model id ("Claude Sonnet"), so the read-only fact is not a bare
+     *  jargon token. Falls back to the raw id for an unknown model. */
+    modelLabel: string;
+    /** The resolved editor-tier conventions: every field concrete, the screen's initial control state.
+     *  Present only when the gate is open; the gate state needs no conventions. */
+    conventions: TidyConventions;
+    /** The success flash a redirected save carries (`?saved=1`). */
+    saved: boolean;
+    /** A redirected save's validation or conflict error read from `?error=`. */
+    error: string | null;
+}
+/** A refused settings save: a conflict bounce or a malformed conventions payload. Just the one-line
+ *  summary; the save commits nothing on a refusal. */
+export interface SettingsSaveFailure {
+    error: string;
+}
 /** The structural event the content routes read; a real SvelteKit RequestEvent satisfies it. */
 export interface ContentEvent extends EventBase<GithubKeyEnv> {
     params: Record<string, string>;
@@ -153,10 +209,71 @@ export interface ContentEvent extends EventBase<GithubKeyEnv> {
     cookies?: CookieJar;
 }
 /** Injectable dependencies; tests stub the token mint to avoid signing a real key. */
+/** The minimal Anthropic client surface the tidy action uses, typed structurally so the SDK's deep
+ *  generics never reach a public signature and so the integration test can inject a fake whose
+ *  `messages.create` it stubs. The real factory builds `new Anthropic({ apiKey })`, which satisfies
+ *  this shape. The success path reads only the text blocks, the model, the stop reason, and the usage
+ *  counts. */
+export interface TidyClient {
+    messages: {
+        create(body: {
+            model: string;
+            max_tokens: number;
+            system: string;
+            messages: {
+                role: 'user';
+                content: string;
+            }[];
+        }, options?: {
+            signal?: AbortSignal;
+        }): Promise<{
+            content: {
+                type: string;
+                text?: string;
+            }[];
+            model: string;
+            stop_reason: string | null;
+            usage: {
+                input_tokens: number;
+                output_tokens: number;
+            };
+        }>;
+    };
+}
 export interface ContentRoutesDeps {
     /** Mint a GitHub App installation token from the Worker env. Defaults to the real signer.
      *  A bare string works too; the routes await whatever comes back. */
     mintToken?: (env: GithubKeyEnv) => string | Promise<string>;
+    /** Build the Anthropic client for the tidy action from the resolved API key. Defaults to the real
+     *  SDK client. Injected in tests so `messages.create` is stubbed and no network call (or real key)
+     *  is ever needed. The factory runs only after the key is read from the env, so a disabled or
+     *  unconfigured site never constructs a client. */
+    anthropic?: (opts: {
+        apiKey: string;
+    }) => TidyClient;
+    /** The tidy action's own request deadline in milliseconds, set shorter than the platform limit so a
+     *  slow model call becomes a clean retryable fail(502) rather than a platform timeout. Defaults to
+     *  {@link DEFAULT_TIDY_TIMEOUT_MS}. Overridable in tests to assert the deadline path without waiting. */
+    tidyTimeoutMs?: number;
+}
+/** The successful tidy outcome (spec 2.1): the corrected markdown, the model that produced it, and the
+ *  token usage. The diff is computed on the client (Task 12), so the server returns the plain text and
+ *  commits nothing. Admin-internal: consumed by the editor's review surface, not on the package's
+ *  sveltekit subpath, so it carries no reference page. */
+export interface TidyResult {
+    corrected: string;
+    model: string;
+    usage: {
+        input_tokens: number;
+        output_tokens: number;
+    };
+}
+/** A refused tidy: `fail(403)` on a failed CSRF check, `fail(503)` when tidy is disabled or the API
+ *  key is missing, `fail(413)` for an over-long body, `fail(502)` for a deadline overrun, abort, or
+ *  model error (all retryable), `fail(422)` for a model refusal, `fail(400)` for a malformed body. Just
+ *  the one-line summary; the action commits nothing, so a refusal can never corrupt the entry. */
+export interface TidyFailure {
+    error: string;
 }
 /** A blocked save or publish: `fail(400)` when the body links to a target absent from main. */
 export interface SaveFailure {
@@ -215,6 +332,19 @@ export interface MediaReplaceFailure {
 export interface MediaAltPropagateFailure {
     error: string;
 }
+/** The personal-dictionary add outcome (spec 1.6): the merged, canonical sorted word list after the
+ *  add landed. The client reconciles its pending-additions set against this (a word now in the list is
+ *  committed and dropped from pending). Admin-internal: exported for the editor host's reconcile, not
+ *  on the package's sveltekit subpath, so it carries no reference page. */
+export interface DictionaryAddResult {
+    words: string[];
+}
+/** A refused personal-dictionary add: `fail(403)` on a failed CSRF check, `fail(400)` on a body that
+ *  carries no valid word. The client keeps its pending additions for the session and re-attempts on
+ *  the next save, so the word is never silently dropped. Just the one-line summary. */
+export interface DictionaryAddFailure {
+    error: string;
+}
 /** A refused media bulk delete or orphan purge: `fail(503)` for the fail-closed strict-usage refusal
  *  (the whole batch refuses) or media-off / a missing bucket binding. The per-item outcomes ride the
  *  returned summary, not a fail. */
@@ -305,7 +435,7 @@ export interface MediaAltPreviewPlan {
  *  keys identify which guard refused. The media refusals ride here too, so the Media Library's one
  *  `form` prop carries a `?/mediaDelete`, `?/mediaUpdate`, `?/mediaReplace`, or `?/mediaAltPropagate`
  *  refusal without a second type. */
-export type ContentFormFailure = Partial<SaveFailure & DeleteRefusal & RenameFailure & MediaDeleteRefusal & MediaUpdateFailure & MediaReplaceFailure & MediaAltPropagateFailure & MediaBulkFailure>;
+export type ContentFormFailure = Partial<SaveFailure & DeleteRefusal & RenameFailure & MediaDeleteRefusal & MediaUpdateFailure & MediaReplaceFailure & MediaAltPropagateFailure & MediaBulkFailure & TidyFailure>;
 /** The successful upload's response (`uploadAction`). The server-owned `record` rides the editor's
  *  optimistic client state and commits with the entry at Save (the upload itself commits nothing).
  *  `reused` is true when identical bytes were already stored, so the second upload did no second put;
@@ -321,6 +451,8 @@ export declare function createContentRoutes(runtime: CairnRuntime, deps?: Conten
     indexRedirect: () => never;
     listLoad: (event: ContentEvent) => Promise<ListData>;
     mediaLibraryLoad: (event: ContentEvent) => Promise<MediaLibraryData>;
+    settingsLoad: (event: ContentEvent) => SettingsData;
+    settingsSave: (event: ContentEvent) => Promise<never>;
     createAction: (event: ContentEvent) => Promise<never>;
     editLoad: (event: ContentEvent) => Promise<EditData>;
     saveAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
@@ -340,5 +472,7 @@ export declare function createContentRoutes(runtime: CairnRuntime, deps?: Conten
     mediaReplaceApply: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
     mediaAltPreview: (event: ContentEvent) => Promise<ReturnType<typeof fail> | MediaAltPreviewPlan>;
     mediaAltApply: (event: ContentEvent) => Promise<ReturnType<typeof fail> | never>;
+    addDictionaryWord: (event: ContentEvent) => Promise<ReturnType<typeof fail> | DictionaryAddResult>;
+    tidyAction: (event: ContentEvent) => Promise<ReturnType<typeof fail> | TidyResult>;
     mintToken: (env: GithubKeyEnv) => string | Promise<string>;
 };