@natilon/cms-server 0.1.1 → 0.3.0

package/src/adapters/github-content.mjs

@@ -1,3 +1,6 @@
+import { createGitHubApi } from "./github-api.mjs";
+import { sanitize, safeFileName, sortPages, buildDuplicateData, listScheduledDue, commitMsg } from "./_shared.mjs";
+
 /**
  * GitHub Contents API adapter — serverless content backend.
  *
@@ -28,48 +31,10 @@
  * @returns {import('./types.mjs').ContentAdapter}
  */
 export function createGitHubContent({ token, owner, repo, branch, pagesDir, commitMessage }) {
-  const BASE = `https://api.github.com/repos/${owner}/${repo}`;
+  const { apiGet, apiPut, apiDelete, apiPost, apiPatch, graphql } = createGitHubApi({ token, owner, repo });
   // SHA cache: avoid extra GET before every PUT. Invalidated on write.
   const shaCache = new Map();
 
-  const headers = () => ({
-    Authorization: `Bearer ${token}`,
-    Accept: "application/vnd.github+json",
-    "X-GitHub-Api-Version": "2022-11-28",
-    "User-Agent": "natilon-cms",
-    "Content-Type": "application/json",
-  });
-
-  async function apiGet(path) {
-    const r = await fetch(`${BASE}${path}`, { headers: headers() });
-    if (r.status === 404) return null;
-    if (!r.ok) throw new Error(`GitHub API ${r.status} GET ${path}`);
-    return r.json();
-  }
-
-  async function apiPut(path, body) {
-    const r = await fetch(`${BASE}${path}`, {
-      method: "PUT",
-      headers: headers(),
-      body: JSON.stringify(body),
-    });
-    if (!r.ok) {
-      const err = await r.json().catch(() => ({}));
-      throw new Error(`GitHub API ${r.status} PUT ${path}: ${err.message || ""}`);
-    }
-    return r.json();
-  }
-
-  async function apiDelete(path, body) {
-    const r = await fetch(`${BASE}${path}`, {
-      method: "DELETE",
-      headers: headers(),
-      body: JSON.stringify(body),
-    });
-    if (!r.ok) throw new Error(`GitHub API ${r.status} DELETE ${path}`);
-    return r.json();
-  }
-
   function contentPath(collection, file) {
     return `${pagesDir}/${collection}/${file}`;
   }
@@ -91,15 +56,6 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
     return Buffer.from(JSON.stringify(obj, null, 2), "utf-8").toString("base64");
   }
 
-  function commitMsg() {
-    const ts = new Date().toISOString().replace("T", " ").slice(0, 19);
-    return commitMessage ? commitMessage(ts) : `Content updated ${ts}`;
-  }
-
-  function sanitize(p) {
-    return String(p).replace(/[^a-zA-Z0-9._-]/g, "");
-  }
-
   return {
     async listCollections() {
       const items = await apiGet(`/contents/${pagesDir}?ref=${branch}`);
@@ -114,17 +70,22 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
       );
     },
 
-    async listPages(collection, sortConfig = null) {
+    async _listPagesRest(collection, sortConfig) {
       const items = await apiGet(`/contents/${pagesDir}/${collection}?ref=${branch}`);
       if (!Array.isArray(items)) return null;
       const jsonFiles = items.filter((i) => i.type === "file" && i.name.endsWith(".json"));
 
       const pages = await Promise.all(
         jsonFiles.map(async (item) => {
-          const fileData = await apiGet(`/contents/${item.path}?ref=${branch}`);
-          if (!fileData) return null;
-          shaCache.set(item.path, fileData.sha);
-          const data = decodeContent(fileData);
+          shaCache.set(item.path, item.sha);
+          const r = await fetch(item.download_url, {
+            headers: {
+              Authorization: `Bearer ${token}`,
+              "User-Agent": "natilon-cms",
+            },
+          });
+          if (!r.ok) return null;
+          const data = await r.json();
           return {
             id: data.id,
             slug: data.slug,
@@ -138,22 +99,83 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
       );
 
       const valid = pages.filter(Boolean);
-      if (sortConfig) {
-        const dir = sortConfig.direction === "desc" ? -1 : 1;
-        valid.sort((a, b) => {
-          const av = a.meta?.[sortConfig.field] ?? "";
-          const bv = b.meta?.[sortConfig.field] ?? "";
-          if (av < bv) return -1 * dir;
-          if (av > bv) return 1 * dir;
-          return 0;
-        });
-      } else {
-        valid.sort((a, b) => a.title.localeCompare(b.title));
+      return sortPages(valid, sortConfig);
+    },
+
+    async listPages(collection, sortConfig = null) {
+      // Primary path: single GraphQL request fetches all blob contents at once.
+      // Falls back to the REST N+1 path if GraphQL throws.
+      const safeCollection = sanitize(collection);
+      const expression = `${branch}:${pagesDir}/${safeCollection}`;
+      const QUERY = `
+        query($owner: String!, $repo: String!, $expr: String!) {
+          repository(owner: $owner, name: $repo) {
+            object(expression: $expr) {
+              ... on Tree {
+                entries {
+                  name
+                  oid
+                  type
+                  object {
+                    ... on Blob {
+                      text
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      `;
+
+      let useRest = false;
+      let gqlData = null;
+      try {
+        gqlData = await graphql(QUERY, { owner, repo, expr: expression });
+      } catch {
+        useRest = true;
+      }
+
+      if (!useRest) {
+        const treeObj = gqlData?.repository?.object;
+        // collection directory doesn't exist
+        if (treeObj === null || treeObj === undefined) {
+          // If GraphQL returned data but object is null, collection is missing
+          if (gqlData?.repository !== undefined) return null;
+          // Otherwise fall back
+          useRest = true;
+        } else {
+          const entries = treeObj.entries || [];
+          const pages = [];
+          for (const entry of entries) {
+            if (entry.type !== "blob" || !entry.name.endsWith(".json")) continue;
+            const path = `${pagesDir}/${safeCollection}/${entry.name}`;
+            shaCache.set(path, entry.oid);
+            let data;
+            try {
+              data = JSON.parse(entry.object.text);
+            } catch {
+              continue;
+            }
+            pages.push({
+              id: data.id,
+              slug: data.slug,
+              lang: data.lang,
+              collection: data.collection,
+              title: data.meta?.title || data.meta?.name || entry.name,
+              file: entry.name,
+              meta: data.meta || {},
+            });
+          }
+          return sortPages(pages, sortConfig);
+        }
       }
-      return valid;
+
+      return this._listPagesRest(collection, sortConfig);
     },
 
     async readPage(collection, file) {
+      if (!safeFileName(file)) return null;
       const path = contentPath(collection, sanitize(file));
       const data = await apiGet(`/contents/${path}?ref=${branch}`);
       if (!data || Array.isArray(data)) return null;
@@ -165,7 +187,7 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
       const path = contentPath(collection, sanitize(file));
       const sha = await getFileSha(path);
       const result = await apiPut(`/contents/${path}`, {
-        message: commitMsg(),
+        message: commitMsg(commitMessage),
         content: encodeContent(data),
         branch,
         ...(sha ? { sha } : {}),
@@ -178,7 +200,7 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
       const fileName = `${sanitize(data.lang || "en")}-${sanitize(slug)}.json`;
       const path = contentPath(collection, fileName);
       const result = await apiPut(`/contents/${path}`, {
-        message: commitMsg(),
+        message: commitMsg(commitMessage),
         content: encodeContent(data),
         branch,
       });
@@ -187,37 +209,20 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
     },
 
     async deletePage(collection, file) {
+      if (!safeFileName(file)) return null;
       const path = contentPath(collection, sanitize(file));
       const sha = await getFileSha(path);
       if (!sha) return false;
-      await apiDelete(`/contents/${path}`, { message: commitMsg(), sha, branch });
+      await apiDelete(`/contents/${path}`, { message: commitMsg(commitMessage), sha, branch });
       shaCache.delete(path);
       return true;
     },
 
     async duplicatePage(collection, file) {
+      if (!safeFileName(file)) return null;
       const src = await this.readPage(collection, file);
       if (!src) return null;
-      const lang = src.lang || "en";
-      const baseSlug = (src.slug || "page").replace(/-copy(-\d+)?$/, "");
-      const newSlug = `${baseSlug}-copy-${Math.floor(Date.now() / 1000)}`;
-
-      function reid(blocks) {
-        if (!Array.isArray(blocks)) return blocks;
-        return blocks.map((b) => {
-          const next = { ...b, id: "b-" + Math.random().toString(36).slice(2, 9) };
-          if (Array.isArray(b.children)) next.children = b.children.map((col) => reid(col));
-          return next;
-        });
-      }
-
-      const data = {
-        ...src,
-        id: `${lang}/${newSlug}`,
-        slug: newSlug,
-        meta: { ...(src.meta || {}), title: `${src.meta?.title || newSlug} (Copy)` },
-        blocks: reid(src.blocks || []),
-      };
+      const { data, fileName } = buildDuplicateData(src);
       return this.createPage(collection, data);
     },
 
@@ -232,6 +237,7 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
     },
 
     async listHistory(collection, file) {
+      if (!safeFileName(file)) return null;
       const path = contentPath(collection, sanitize(file));
       const commits = await apiGet(`/commits?path=${encodeURIComponent(path)}&per_page=20&sha=${branch}`);
       if (!Array.isArray(commits)) return [];
@@ -245,6 +251,7 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
     },
 
     async restoreHistory(collection, file, commitSha) {
+      if (!safeFileName(file)) return null;
       const path = contentPath(collection, sanitize(file));
       const fileData = await apiGet(`/contents/${path}?ref=${commitSha}`);
       if (!fileData || Array.isArray(fileData)) return false;
@@ -253,20 +260,54 @@ export function createGitHubContent({ token, owner, repo, branch, pagesDir, comm
       return true;
     },
 
-    async listScheduled() {
-      const collections = await this.listCollections();
-      const now = new Date();
-      const due = [];
-      for (const { name } of collections) {
-        const pages = await this.listPages(name);
-        for (const page of pages || []) {
-          if (page.meta?.publishAt && new Date(page.meta.publishAt) <= now) {
-            const data = await this.readPage(name, page.file);
-            if (data?.meta?.publishAt) due.push({ collection: name, file: page.file, data });
-          }
-        }
+    async writeBatch(items, message) {
+      if (!items.length) return { ok: true, commitCount: 0 };
+
+      // 1. Get current ref → base commit SHA
+      const refData = await apiGet(`/git/ref/heads/${branch}`);
+      const baseCommitSha = refData.object.sha;
+
+      // 2. Get base commit → base tree SHA
+      const baseCommit = await apiGet(`/git/commits/${baseCommitSha}`);
+      const baseTreeSha = baseCommit.tree.sha;
+
+      // 3. Create one blob per file
+      const treeItems = await Promise.all(
+        items.map(async ({ collection, file, data }) => {
+          const filePath = contentPath(sanitize(collection), sanitize(file));
+          const content = Buffer.from(JSON.stringify(data, null, 2), "utf-8").toString("base64");
+          const blob = await apiPost(`/git/blobs`, { content, encoding: "base64" });
+          return { path: filePath, mode: "100644", type: "blob", sha: blob.sha };
+        }),
+      );
+
+      // 4. Create tree
+      const newTree = await apiPost(`/git/trees`, {
+        base_tree: baseTreeSha,
+        tree: treeItems,
+      });
+
+      // 5. Create commit
+      const msg = message || commitMsg(commitMessage, "Batch content update");
+      const newCommit = await apiPost(`/git/commits`, {
+        message: msg,
+        tree: newTree.sha,
+        parents: [baseCommitSha],
+      });
+
+      // 6. Update ref
+      await apiPatch(`/git/refs/heads/${branch}`, { sha: newCommit.sha });
+
+      // 7. Invalidate shaCache for all written paths
+      for (const { collection, file } of items) {
+        shaCache.delete(contentPath(sanitize(collection), sanitize(file)));
       }
-      return due;
+
+      return { ok: true, sha: newCommit.sha, commitCount: 1 };
+    },
+
+    async listScheduled() {
+      return listScheduledDue(this);
     },
   };
 }

package/src/adapters/github-oauth.mjs

@@ -1,9 +1,5 @@
 import crypto from "crypto";
 
-const GITHUB_AUTH_URL = "https://github.com/login/oauth/authorize";
-const GITHUB_TOKEN_URL = "https://github.com/login/oauth/access_token";
-const GITHUB_USER_URL = "https://api.github.com/user";
-
 /**
  * GitHub OAuth adapter — drop-in replacement for createBasicAuth.
  *
@@ -73,7 +69,26 @@ export function createGitHubOAuth({
     const parts = (tokenStr || "").split(".");
     if (parts.length !== 3) return null;
     const [header, payload, sig] = parts;
-    if (sign(header, payload) !== sig) return null;
+
+    // Decode and validate header
+    try {
+      const headerData = JSON.parse(Buffer.from(header, "base64url").toString());
+      if (headerData.alg !== "HS256" || headerData.typ !== "JWT") return null;
+    } catch {
+      return null;
+    }
+
+    // Timing-safe signature comparison
+    const expectedSig = sign(header, payload);
+    const sigBuf = Buffer.from(sig, "base64url");
+    const expectedBuf = Buffer.from(expectedSig, "base64url");
+    if (sigBuf.length !== expectedBuf.length) return null;
+    try {
+      if (!crypto.timingSafeEqual(sigBuf, expectedBuf)) return null;
+    } catch {
+      return null;
+    }
+
     try {
       const data = JSON.parse(Buffer.from(payload, "base64url").toString());
       if (data.exp < Math.floor(Date.now() / 1000)) return null;
@@ -98,57 +113,6 @@ export function createGitHubOAuth({
     };
   }
 
-  // OAuth route handlers — mounted by server.mjs
-  const oauthRoutes = {
-    login(req, res) {
-      const state = crypto.randomBytes(16).toString("hex");
-      const callbackUrl = `${req.protocol}://${req.get("host")}/admin/oauth/callback`;
-      const params = new URLSearchParams({
-        client_id: clientId,
-        redirect_uri: callbackUrl,
-        scope: "read:user",
-        state,
-      });
-      // state is stateless here — for production add a cookie/session store
-      res.redirect(`${GITHUB_AUTH_URL}?${params.toString()}`);
-    },
-
-    async callback(req, res) {
-      const { code } = req.query;
-      if (!code) return res.status(400).send("Missing code");
-
-      try {
-        const callbackUrl = `${req.protocol}://${req.get("host")}/admin/oauth/callback`;
-
-        // Exchange code for GitHub access token
-        const tokenRes = await fetch(GITHUB_TOKEN_URL, {
-          method: "POST",
-          headers: { Accept: "application/json", "Content-Type": "application/json" },
-          body: JSON.stringify({ client_id: clientId, client_secret: clientSecret, code, redirect_uri: callbackUrl }),
-        });
-        const tokenData = await tokenRes.json();
-        if (!tokenData.access_token) {
-          return res.status(401).send("GitHub OAuth failed: " + (tokenData.error_description || tokenData.error || "unknown"));
-        }
-
-        // Get GitHub user identity
-        const userRes = await fetch(GITHUB_USER_URL, {
-          headers: { Authorization: `Bearer ${tokenData.access_token}`, "User-Agent": "natilon-cms" },
-        });
-        const user = await userRes.json();
-
-        if (allowedLogins.length > 0 && !allowedLogins.includes(user.login)) {
-          return res.status(403).send(`GitHub user "${user.login}" is not authorised for this CMS.`);
-        }
-
-        const sessionToken = issueToken({ sub: user.login, type: "session", name: user.name || user.login });
-        res.redirect(`/admin/?token=${encodeURIComponent(sessionToken)}`);
-      } catch (err) {
-        res.status(500).send("OAuth error: " + err.message);
-      }
-    },
-  };
-
   function verify(authHeader) {
     if (!authHeader?.startsWith("Bearer ")) return null;
     const claims = verifyToken(authHeader.slice(7));
@@ -160,6 +124,24 @@ export function createGitHubOAuth({
     return issueToken({ sub: login, type: "session", name });
   }
 
+  function issueOAuthState() {
+    if (!jwtSecret) throw new Error("JWT_SECRET not set");
+    const header = Buffer.from(JSON.stringify({ alg: "HS256", typ: "JWT" })).toString("base64url");
+    const now = Math.floor(Date.now() / 1000);
+    const payload = Buffer.from(JSON.stringify({
+      type: "oauth-state",
+      nonce: crypto.randomBytes(16).toString("hex"),
+      iat: now,
+      exp: now + 600,
+    })).toString("base64url");
+    return `${header}.${payload}.${sign(header, payload)}`;
+  }
+
+  function verifyOAuthState(state) {
+    const claims = verifyToken(state);
+    return Boolean(claims && claims.type === "oauth-state");
+  }
+
   return {
     configured,
     middleware: middlewareWith(null),
@@ -169,6 +151,7 @@ export function createGitHubOAuth({
     },
     verify,
     issueSessionToken,
-    oauthRoutes,
+    issueOAuthState,
+    verifyOAuthState,
   };
 }

package/src/adapters/github-templates.mjs

@@ -0,0 +1,100 @@
+import { createGitHubApi } from "./github-api.mjs";
+import { sanitize, safeFileName, commitMsg } from "./_shared.mjs";
+
+/**
+ * GitHub Contents API-backed block-template adapter.
+ *
+ * Templates are stored under `<templatesDir>/<slug>.json` on a configurable
+ * branch. Safe to run on any serverless runtime — no local filesystem.
+ *
+ * @param {Object} opts
+ * @param {string} opts.token        GitHub PAT with repo scope
+ * @param {string} opts.owner
+ * @param {string} opts.repo
+ * @param {string} opts.branch
+ * @param {string} [opts.templatesDir=".cms-templates"]
+ * @param {(ts: string) => string} [opts.commitMessage]
+ * @returns {import('./types.mjs').TemplatesAdapter}
+ */
+export function createGitHubTemplates({
+  token,
+  owner,
+  repo,
+  branch,
+  templatesDir = ".cms-templates",
+  commitMessage,
+}) {
+  const { apiGet, apiPut, apiDelete } = createGitHubApi({ token, owner, repo });
+  const shaCache = new Map();
+
+  function filePath(slug) {
+    return `${templatesDir}/${sanitize(slug)}.json`;
+  }
+
+  function msg() {
+    return commitMsg(commitMessage, "Template updated");
+  }
+
+  return {
+    async list() {
+      const items = await apiGet(`/contents/${templatesDir}?ref=${branch}`);
+      if (!items || !Array.isArray(items)) return [];
+      const jsonFiles = items.filter((i) => i.type === "file" && i.name.endsWith(".json"));
+      return Promise.all(
+        jsonFiles.map(async (item) => {
+          shaCache.set(item.path, item.sha);
+          const r = await fetch(item.download_url, {
+            headers: { Authorization: `Bearer ${token}`, "User-Agent": "natilon-cms" },
+          });
+          if (!r.ok) return null;
+          const data = await r.json();
+          return {
+            name: data.name,
+            slug: item.name.replace(".json", ""),
+            blockCount: (data.blocks || []).length,
+          };
+        }),
+      ).then((rs) => rs.filter(Boolean));
+    },
+
+    async get(slug) {
+      if (!safeFileName(slug)) return null;
+      const path = filePath(slug);
+      const data = await apiGet(`/contents/${path}?ref=${branch}`);
+      if (!data || Array.isArray(data)) return null;
+      shaCache.set(path, data.sha);
+      return JSON.parse(Buffer.from(data.content, "base64").toString("utf-8"));
+    },
+
+    async put(slug, data) {
+      if (!safeFileName(slug)) return null;
+      const path = filePath(slug);
+      let sha = shaCache.get(path);
+      if (!sha) {
+        const existing = await apiGet(`/contents/${path}?ref=${branch}`);
+        if (existing && !Array.isArray(existing)) sha = existing.sha;
+      }
+      const result = await apiPut(`/contents/${path}`, {
+        message: msg(),
+        content: Buffer.from(JSON.stringify(data, null, 2), "utf-8").toString("base64"),
+        branch,
+        ...(sha ? { sha } : {}),
+      });
+      shaCache.set(path, result.content?.sha);
+    },
+
+    async delete(slug) {
+      if (!safeFileName(slug)) return null;
+      const path = filePath(slug);
+      let sha = shaCache.get(path);
+      if (!sha) {
+        const existing = await apiGet(`/contents/${path}?ref=${branch}`);
+        if (!existing || Array.isArray(existing)) return false;
+        sha = existing.sha;
+      }
+      await apiDelete(`/contents/${path}`, { message: msg(), sha, branch });
+      shaCache.delete(path);
+      return true;
+    },
+  };
+}

package/src/adapters/index.mjs

@@ -1,5 +1,7 @@
 export { createFsJsonContent } from "./fs-json-content.mjs";
+export { createFsTemplates } from "./fs-templates.mjs";
 export { createGitHubContent } from "./github-content.mjs";
+export { createGitHubTemplates } from "./github-templates.mjs";
 export { createLocalAssetsMedia } from "./local-assets-media.mjs";
 export { createCdnProxyMedia } from "./cdn-proxy-media.mjs";
 export { createBasicAuth } from "./basic-auth.mjs";

package/src/adapters/local-assets-media.mjs

@@ -1,5 +1,6 @@
 import fs from "fs";
 import path from "path";
+import { sanitize } from "./_shared.mjs";
 
 const IMAGE_RE = /\.(png|jpg|jpeg|svg|webp|gif)$/i;
 
@@ -16,10 +17,6 @@ export function createLocalAssetsMedia({ rootDir, assetsDir }) {
   const ROOT = path.join(rootDir, assetsDir);
   const URL_PREFIX = `/${assetsDir.replace(/^\/+/, "")}`;
 
-  function sanitize(p) {
-    return String(p).replace(/[^a-zA-Z0-9._-]/g, "");
-  }
-
   function listImages(dir, prefix) {
     const out = [];
     const entries = fs.readdirSync(dir, { withFileTypes: true });

package/src/adapters/types.mjs

@@ -52,6 +52,7 @@
  * @property {(collection: string, file: string) => Promise<{file: string}|null>} duplicatePage
  * @property {() => Promise<PendingChanges>} pendingChanges
  * @property {() => Promise<PublishResult>} publish
+ * @property {(items: Array<{collection: string, file: string, data: object}>, message?: string) => Promise<{ok: boolean, sha?: string, commitCount: number}>} writeBatch
  */
 
 /**
@@ -75,4 +76,19 @@
  * @property {(opts?: {branch?: string, sha?: string}) => Promise<object>} getDeployStatus
  */
 
+/**
+ * @typedef {Object} TemplateSummary
+ * @property {string} name
+ * @property {string} slug
+ * @property {number} blockCount
+ */
+
+/**
+ * @typedef {Object} TemplatesAdapter
+ * @property {() => Promise<TemplateSummary[]>} list
+ * @property {(slug: string) => Promise<object|null>} get
+ * @property {(slug: string, data: object) => Promise<void>} put
+ * @property {(slug: string) => Promise<boolean>} delete
+ */
+
 export {};

package/src/default-public-config.mjs

@@ -7,18 +7,21 @@
  * Used automatically by createCmsServer when the consumer does not supply
  * their own publicConfig function.
  *
- * @param {Object} config  Full cms.config object
- * @returns {Object}       Safe subset for the browser
+ * @param {Object} config            Full cms.config object
+ * @param {Object} [overrides={}]    Extra fields merged in at the end (shallow)
+ * @returns {Object}                 Safe subset for the browser
  */
-export function defaultPublicConfig(config) {
-  return {
-    mountPath:          config.mountPath,
-    locales:            config.locales,
-    defaultLocale:      config.defaultLocale,
-    previewUrlPattern:  config.previewUrlPattern,
-    media:              config.media,
-    collections:        config.collections,
-    blocks:             config.blocks,
-    content:            { provider: config.content?.provider || "fs" },
+export function defaultPublicConfig(config, overrides = {}) {
+  const cfg = {
+    mountPath:         config.mountPath,
+    locales:           config.locales,
+    defaultLocale:     config.defaultLocale,
+    previewUrlPattern: config.previewUrlPattern,
+    media:             config.media,
+    collections:       config.collections,
+    blocks:            config.blocks,
+    content:           { provider: config.content?.provider || "fs" },
+    auth:              { provider: config.auth?.provider || "basic" },
   };
+  return Object.assign(cfg, overrides);
 }