@natilon/cms-server 0.1.2 → 0.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@natilon/cms-server",
-  "version": "0.1.2",
+  "version": "0.5.0",
   "description": "Express-based CMS server with pluggable adapters for content, media, auth, and build.",
   "license": "MIT",
   "repository": {
@@ -19,19 +19,23 @@
   "bin": {
     "natilon-cms": "./bin/natilon-cms.mjs"
   },
+  "scripts": {
+    "test": "node --test test/"
+  },
   "exports": {
     ".": "./src/index.mjs",
     "./media-url": "./src/adapters/media-url.mjs",
     "./adapters": "./src/adapters/index.mjs",
-    "./public-config": "./src/default-public-config.mjs"
+    "./public-config": "./src/default-public-config.mjs",
+    "./routes": "./src/routes.mjs",
+    "./hono-shim": "./src/hono-shim.mjs"
   },
   "files": [
     "src",
     "bin"
   ],
   "dependencies": {
-    "@natilon/admin-ui": "^0.1.1",
-    "depd": "^2.0.0",
+    "@natilon/admin-ui": "^0.5.0",
     "express": "^4.21.0"
   },
   "peerDependencies": {

package/src/adapters/_shared.mjs

@@ -0,0 +1,125 @@
+/**
+ * Shared helpers used across content and template adapters.
+ */
+
+/**
+ * Strips all characters outside [a-zA-Z0-9._-].
+ * Used to sanitize path segments coming from config (collection names, etc.).
+ */
+export function sanitize(p) {
+  return String(p).replace(/[^a-zA-Z0-9._-]/g, "");
+}
+
+/**
+ * Validates a filename (e.g. "en-hello.json") from a route param.
+ * Returns the input unchanged if it is safe, or null if it should be rejected.
+ *
+ * Rules:
+ *  - Must match /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/
+ *  - Must not be "." or ".." or consist entirely of dots
+ */
+export function safeFileName(name) {
+  if (typeof name !== "string") return null;
+  if (name === "." || name === ".." || /^\.+$/.test(name)) return null;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(name)) return null;
+  return name;
+}
+
+/**
+ * Sorts a pages array in-place and returns it.
+ *
+ * When sortConfig is provided, sorts by `data.meta?.[sortConfig.field]`.
+ * Missing values are always placed at the end, regardless of direction.
+ * When sortConfig is null/undefined, sorts by title (localeCompare).
+ *
+ * @param {Array} pages  Each element must have `.meta` and `.title`.
+ * @param {Object|null} sortConfig  { field: string, direction: "asc"|"desc" }
+ */
+export function sortPages(pages, sortConfig) {
+  if (sortConfig) {
+    const dir = sortConfig.direction === "desc" ? -1 : 1;
+    pages.sort((a, b) => {
+      const av = a.meta?.[sortConfig.field];
+      const bv = b.meta?.[sortConfig.field];
+      const aMissing = av === undefined || av === null;
+      const bMissing = bv === undefined || bv === null;
+      if (aMissing && bMissing) return 0;
+      if (aMissing) return 1;   // missing always last
+      if (bMissing) return -1;  // missing always last
+      if (av < bv) return -1 * dir;
+      if (av > bv) return 1 * dir;
+      return 0;
+    });
+  } else {
+    pages.sort((a, b) => a.title.localeCompare(b.title));
+  }
+  return pages;
+}
+
+/**
+ * Recursively regenerates block IDs.
+ * Children columns are arrays of block arrays (columns), so we recurse into each.
+ */
+export function reid(blocks) {
+  if (!Array.isArray(blocks)) return blocks;
+  return blocks.map((b) => {
+    const next = { ...b, id: "b-" + Math.random().toString(36).slice(2, 9) };
+    if (Array.isArray(b.children)) {
+      next.children = b.children.map((col) => reid(col));
+    }
+    return next;
+  });
+}
+
+/**
+ * Builds a duplicate page payload from a source page object.
+ * Returns { data, fileName }.
+ */
+export function buildDuplicateData(src) {
+  const lang = src.lang || "en";
+  const baseSlug = (src.slug || "page").replace(/-copy(-\d+)?$/, "");
+  const newSlug = `${baseSlug}-copy-${Math.floor(Date.now() / 1000)}`;
+  const data = {
+    ...src,
+    id: `${lang}/${newSlug}`,
+    slug: newSlug,
+    meta: { ...(src.meta || {}), title: `${src.meta?.title || newSlug} (Copy)` },
+    blocks: reid(src.blocks || []),
+  };
+  const fileName = `${sanitize(lang)}-${sanitize(newSlug)}.json`;
+  return { data, fileName };
+}
+
+/**
+ * Scans all collections in `adapter` and returns entries whose
+ * `meta.publishAt` is in the past.
+ *
+ * @param {import('./types.mjs').ContentAdapter} adapter
+ * @returns {Promise<Array<{collection: string, file: string, data: object}>>}
+ */
+export async function listScheduledDue(adapter) {
+  const collections = await adapter.listCollections();
+  const now = new Date();
+  const due = [];
+  for (const { name } of collections) {
+    const pages = await adapter.listPages(name);
+    for (const page of pages || []) {
+      if (page.meta?.publishAt && new Date(page.meta.publishAt) <= now) {
+        const data = await adapter.readPage(name, page.file);
+        if (data?.meta?.publishAt) due.push({ collection: name, file: page.file, data });
+      }
+    }
+  }
+  return due;
+}
+
+/**
+ * Produces a commit message string.
+ *
+ * @param {((ts: string) => string) | undefined} commitMessage
+ * @param {string} [fallback="Content updated"]
+ */
+export function commitMsg(commitMessage, fallback = "Content updated") {
+  const ts = new Date().toISOString().replace("T", " ").slice(0, 19);
+  return commitMessage ? commitMessage(ts) : `${fallback} ${ts}`;
+}

package/src/adapters/basic-auth.mjs

@@ -11,14 +11,33 @@ import crypto from "crypto";
  * @param {string} [opts.realm="Admin"]
  * @returns {import('./types.mjs').AuthAdapter}
  */
+function safeEq(a, b) {
+  const bufA = Buffer.from(a || "", "utf8");
+  const bufB = Buffer.from(b || "", "utf8");
+  if (bufA.length !== bufB.length) return false;
+  return crypto.timingSafeEqual(bufA, bufB);
+}
+
 export function createBasicAuth({
   user,
   pass,
+  users,
   jwtSecret,
   jwtTtl,
   realm = "Admin",
 }) {
-  const configured = Boolean(pass);
+  // Normalise: prefer `users` array, fall back to single user/pass pair.
+  const userList = users?.length
+    ? users
+    : pass ? [{ user: user || "admin", pass, role: "admin" }] : [];
+
+  const configured = userList.length > 0;
+
+  function findUser(u, p) {
+    return userList.find(
+      (entry) => safeEq(u, entry.user) && safeEq(p, entry.pass),
+    ) ?? null;
+  }
 
   function issueMediaToken(tenantId) {
     if (!jwtSecret) throw new Error("JWT_SECRET not set");
@@ -48,11 +67,13 @@ export function createBasicAuth({
         res.set("WWW-Authenticate", `Basic realm="${realm}"`);
         return res.status(401).send("Authentication required");
       }
-      const [u, p] = Buffer.from(auth.slice(6), "base64")
-        .toString()
-        .split(":");
-      if (u === user && p === pass) {
-        req.cmsUser = { login: user, role: "admin" };
+      const decoded = Buffer.from(auth.slice(6), "base64").toString();
+      const colon = decoded.indexOf(":");
+      const u = decoded.slice(0, colon);
+      const p = decoded.slice(colon + 1);
+      const entry = findUser(u, p);
+      if (entry) {
+        req.cmsUser = { login: entry.user, name: entry.name || entry.user, role: entry.role || "editor" };
         return next();
       }
       res.set("WWW-Authenticate", `Basic realm="${realm}"`);
@@ -61,14 +82,15 @@ export function createBasicAuth({
   }
 
   function verify(authHeader) {
-    if (!configured) return { login: user, role: "admin" };
+    if (!configured) return { login: "admin", role: "admin" };
     if (!authHeader?.startsWith("Basic ")) return null;
     const decoded = Buffer.from(authHeader.slice(6), "base64").toString();
     const colon = decoded.indexOf(":");
     const u = decoded.slice(0, colon);
     const p = decoded.slice(colon + 1);
-    if (u === user && p === pass) return { login: user, role: "admin" };
-    return null;
+    const entry = findUser(u, p);
+    if (!entry) return null;
+    return { login: entry.user, name: entry.name || entry.user, role: entry.role || "editor" };
   }
 
   return {

package/src/adapters/cdn-proxy-media.mjs

@@ -1,3 +1,5 @@
+import { sanitize } from "./_shared.mjs";
+
 /**
  * CDN-backed media adapter that proxies requests to a remote media
  * service expecting Bearer-token auth (e.g. the natilon media-cdn lambda).
@@ -20,13 +22,10 @@
  *   upload: (payload: object) => Promise<object>,
  * }}
  */
+
 export function createCdnProxyMedia({ baseUrl, getToken }) {
   const ROOT = baseUrl.replace(/\/+$/, "");
 
-  function sanitize(folder) {
-    return String(folder).replace(/[^a-zA-Z0-9._-]/g, "");
-  }
-
   async function call(path, opts = {}) {
     const r = await fetch(ROOT + path, {
       ...opts,

package/src/adapters/cloudflare-access.mjs

@@ -0,0 +1,140 @@
+/**
+ * Cloudflare Access auth adapter.
+ *
+ * Verifies the `Cf-Access-Jwt-Assertion` header (or `CF_Authorization` cookie)
+ * signed by your Cloudflare Access team using RS256. No third-party libraries —
+ * uses Node's built-in `crypto` module.
+ *
+ * cms.config.mjs:
+ *   auth: {
+ *     provider: "cloudflare-access",
+ *     teamDomain: "https://yourteam.cloudflareaccess.com",
+ *     audience:   "your-application-audience-tag",   // from Access app settings
+ *     roles: {                                        // optional: map email → role
+ *       "fatih@example.com": "admin",
+ *     },
+ *     defaultRole: "editor",                          // role when email not in roles map
+ *   }
+ */
+
+import crypto from "crypto";
+
+const JWKS_TTL_MS = 60 * 60 * 1000; // 1 hour
+
+/**
+ * @param {Object} opts
+ * @param {string} opts.teamDomain   e.g. "https://yourteam.cloudflareaccess.com"
+ * @param {string} opts.audience     Application Audience tag from Cloudflare Access
+ * @param {Object} [opts.roles]      { "email": "admin" | "editor" }
+ * @param {string} [opts.defaultRole]
+ */
+export function createCloudflareAccess({ teamDomain, audience, roles = {}, defaultRole = "editor" }) {
+  const domain = teamDomain.replace(/\/$/, "");
+  const certsUrl = `${domain}/cdn-cgi/access/certs`;
+
+  // JWKS cache
+  let jwksCache = null;
+  let jwksCachedAt = 0;
+
+  async function getJwks() {
+    if (jwksCache && Date.now() - jwksCachedAt < JWKS_TTL_MS) return jwksCache;
+    const res = await fetch(certsUrl);
+    if (!res.ok) throw new Error(`Failed to fetch Cloudflare Access JWKS: ${res.status}`);
+    jwksCache = await res.json();
+    jwksCachedAt = Date.now();
+    return jwksCache;
+  }
+
+  function base64urlDecode(str) {
+    return Buffer.from(str.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+  }
+
+  function importPublicKey(jwk) {
+    // Cloudflare Access JWKS uses x5c (certificate chain) or n/e (RSA components).
+    if (jwk.x5c?.length) {
+      const pem = `-----BEGIN CERTIFICATE-----\n${jwk.x5c[0].match(/.{1,64}/g).join("\n")}\n-----END CERTIFICATE-----`;
+      return crypto.createPublicKey(pem);
+    }
+    if (jwk.n && jwk.e) {
+      return crypto.createPublicKey({ key: jwk, format: "jwk" });
+    }
+    throw new Error("Unsupported JWK format — no x5c or n/e fields");
+  }
+
+  async function verifyToken(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) throw new Error("Invalid JWT format");
+
+    const [headerB64, payloadB64, sigB64] = parts;
+    const header = JSON.parse(base64urlDecode(headerB64).toString());
+    const payload = JSON.parse(base64urlDecode(payloadB64).toString());
+
+    // Claim validation
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp && payload.exp < now) throw new Error("JWT expired");
+    if (payload.nbf && payload.nbf > now) throw new Error("JWT not yet valid");
+    if (payload.iss !== domain) throw new Error(`JWT issuer mismatch: ${payload.iss}`);
+    if (audience && payload.aud !== audience && !payload.aud?.includes?.(audience)) {
+      throw new Error("JWT audience mismatch");
+    }
+
+    // Signature verification
+    const jwks = await getJwks();
+    const jwk = jwks.keys?.find((k) => k.kid === header.kid) ?? jwks.keys?.[0];
+    if (!jwk) throw new Error("No matching JWK found");
+
+    const pubKey = importPublicKey(jwk);
+    const verify = crypto.createVerify("RSA-SHA256");
+    verify.update(`${headerB64}.${payloadB64}`);
+    const valid = verify.verify(pubKey, base64urlDecode(sigB64));
+    if (!valid) throw new Error("JWT signature invalid");
+
+    return payload;
+  }
+
+  function extractToken(req) {
+    const header = req.headers["cf-access-jwt-assertion"];
+    if (header) return header;
+    // Fall back to cookie
+    const cookie = req.headers.cookie || "";
+    const match = cookie.match(/(?:^|;\s*)CF_Authorization=([^;]+)/);
+    return match ? match[1] : null;
+  }
+
+  function resolveUser(payload) {
+    const email = payload.email || payload.sub;
+    const role = roles[email] ?? defaultRole;
+    return { login: email, name: email, role };
+  }
+
+  function middlewareWith(allowlist) {
+    return async (req, res, next) => {
+      if (allowlist && allowlist(req)) return next();
+      const token = extractToken(req);
+      if (!token) {
+        return res.status(401).json({ error: "Cloudflare Access token required" });
+      }
+      try {
+        const payload = await verifyToken(token);
+        req.cmsUser = resolveUser(payload);
+        return next();
+      } catch (err) {
+        return res.status(401).json({ error: `Access denied: ${err.message}` });
+      }
+    };
+  }
+
+  async function verify(authHeader) {
+    // authHeader unused — Cloudflare Access uses its own header/cookie
+    return null;
+  }
+
+  return {
+    configured: Boolean(teamDomain && audience),
+    middleware: middlewareWith(null),
+    middlewareWith,
+    verify,
+    // issueMediaToken not supported for Cloudflare Access — use Cloudflare's own CDN auth
+    issueMediaToken: () => { throw new Error("issueMediaToken not supported for cloudflare-access"); },
+  };
+}

package/src/adapters/fs-json-content.mjs

@@ -1,6 +1,7 @@
 import fs from "fs";
 import path from "path";
 import { execSync } from "child_process";
+import { sanitize, safeFileName, sortPages, buildDuplicateData, listScheduledDue } from "./_shared.mjs";
 
 const HISTORY_KEEP = 50; // max revisions kept per file
 
@@ -50,10 +51,6 @@ export function createFsJsonContent({
     return execSync(`git ${cmd}`, { cwd: rootDir, encoding: "utf-8" }).trim();
   }
 
-  function sanitize(p) {
-    return String(p).replace(/[^a-zA-Z0-9._-]/g, "");
-  }
-
   function pagePath(collection, file) {
     return path.join(PAGES_DIR, sanitize(collection), sanitize(file));
   }
@@ -86,24 +83,13 @@ export function createFsJsonContent({
           title: data.meta?.title || data.meta?.name || file,
           file,
           meta: data.meta || {},
-          _sort: sortConfig ? (data.meta?.[sortConfig.field] ?? Infinity) : null,
         };
       });
-      if (sortConfig) {
-        const dir = sortConfig.direction === "desc" ? -1 : 1;
-        pages.sort((a, b) => {
-          if (a._sort < b._sort) return -1 * dir;
-          if (a._sort > b._sort) return 1 * dir;
-          return 0;
-        });
-      } else {
-        pages.sort((a, b) => a.title.localeCompare(b.title));
-      }
-      pages.forEach((p) => delete p._sort);
-      return pages;
+      return sortPages(pages, sortConfig);
     },
 
     async readPage(collection, file) {
+      if (!safeFileName(file)) return null;
       const filePath = pagePath(collection, file);
       if (!fs.existsSync(filePath)) return null;
       return JSON.parse(fs.readFileSync(filePath, "utf-8"));
@@ -128,6 +114,7 @@ export function createFsJsonContent({
     },
 
     async deletePage(collection, file) {
+      if (!safeFileName(file)) return null;
       const filePath = pagePath(collection, file);
       if (!fs.existsSync(filePath)) return false;
       fs.unlinkSync(filePath);
@@ -135,36 +122,12 @@ export function createFsJsonContent({
     },
 
     async duplicatePage(collection, file) {
+      if (!safeFileName(file)) return null;
       const filePath = pagePath(collection, file);
       if (!fs.existsSync(filePath)) return null;
       const src = JSON.parse(fs.readFileSync(filePath, "utf-8"));
 
-      const lang = src.lang || "en";
-      const baseSlug = (src.slug || "page").replace(/-copy(-\d+)?$/, "");
-      const newSlug = `${baseSlug}-copy-${Math.floor(Date.now() / 1000)}`;
-
-      // Regenerate block IDs to avoid duplicates within the document if the
-      // same block is later edited in both copies.
-      function reid(blocks) {
-        if (!Array.isArray(blocks)) return blocks;
-        return blocks.map((b) => {
-          const next = { ...b, id: "b-" + Math.random().toString(36).slice(2, 9) };
-          if (Array.isArray(b.children)) {
-            next.children = b.children.map((col) => reid(col));
-          }
-          return next;
-        });
-      }
-
-      const data = {
-        ...src,
-        id: `${lang}/${newSlug}`,
-        slug: newSlug,
-        meta: { ...(src.meta || {}), title: `${src.meta?.title || newSlug} (Copy)` },
-        blocks: reid(src.blocks || []),
-      };
-
-      const fileName = `${sanitize(lang)}-${sanitize(newSlug)}.json`;
+      const { data, fileName } = buildDuplicateData(src);
       const dest = pagePath(collection, fileName);
       const dir = path.dirname(dest);
       if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
@@ -203,6 +166,7 @@ export function createFsJsonContent({
     },
 
     async listHistory(collection, file) {
+      if (!safeFileName(file)) return null;
       const dir = historyDir(collection, file);
       if (!fs.existsSync(dir)) return [];
       return fs
@@ -211,16 +175,13 @@ export function createFsJsonContent({
         .sort()
         .reverse()
         .map((f) => {
-          const ts = f.replace(".json", "").replace(/-(\d{2})-(\d{3})$/, ".$1Z").replace(/-/g, (m, o, s) => {
-            // Reconstruct ISO: YYYY-MM-DDTHH-MM-SS-mmmZ → YYYY-MM-DDTHH:MM:SS.mmmZ
-            return s.slice(0, o).match(/T/) ? ":" : m;
-          });
           const stat = fs.statSync(path.join(dir, f));
           return { ts: f.replace(".json", ""), size: stat.size };
         });
     },
 
     async restoreHistory(collection, file, ts) {
+      if (!safeFileName(file)) return null;
       const src = path.join(historyDir(collection, file), sanitize(ts) + ".json");
       if (!fs.existsSync(src)) return false;
       const data = JSON.parse(fs.readFileSync(src, "utf-8"));
@@ -229,20 +190,16 @@ export function createFsJsonContent({
       return true;
     },
 
-    async listScheduled() {
-      const collections = await this.listCollections();
-      const now = new Date();
-      const due = [];
-      for (const { name } of collections) {
-        const pages = await this.listPages(name);
-        for (const page of pages || []) {
-          if (page.meta?.publishAt && new Date(page.meta.publishAt) <= now) {
-            const data = await this.readPage(name, page.file);
-            if (data?.meta?.publishAt) due.push({ collection: name, file: page.file, data });
-          }
-        }
+    async writeBatch(items, _message) {
+      if (!items.length) return { ok: true, commitCount: 0 };
+      for (const { collection, file, data } of items) {
+        await this.writePage(collection, file, data);
       }
-      return due;
+      return { ok: true, commitCount: items.length };
+    },
+
+    async listScheduled() {
+      return listScheduledDue(this);
     },
   };
 }

package/src/adapters/fs-templates.mjs

@@ -0,0 +1,57 @@
+import fs from "fs";
+import path from "path";
+import { sanitize, safeFileName } from "./_shared.mjs";
+
+/**
+ * Filesystem-backed block-template adapter. Templates are stored as JSON files
+ * under `<rootDir>/.cms-templates/<slug>.json`.
+ *
+ * @param {Object} opts
+ * @param {string} opts.rootDir
+ * @returns {import('./types.mjs').TemplatesAdapter}
+ */
+export function createFsTemplates({ rootDir }) {
+  const DIR = path.join(rootDir, ".cms-templates");
+
+  return {
+    async list() {
+      if (!fs.existsSync(DIR)) return [];
+      return fs
+        .readdirSync(DIR)
+        .filter((f) => f.endsWith(".json"))
+        .map((f) => {
+          const data = JSON.parse(fs.readFileSync(path.join(DIR, f), "utf-8"));
+          return {
+            name: data.name,
+            slug: f.replace(".json", ""),
+            blockCount: (data.blocks || []).length,
+          };
+        });
+    },
+
+    async get(slug) {
+      if (!safeFileName(slug)) return null;
+      const file = path.join(DIR, sanitize(slug) + ".json");
+      if (!fs.existsSync(file)) return null;
+      return JSON.parse(fs.readFileSync(file, "utf-8"));
+    },
+
+    async put(slug, data) {
+      if (!safeFileName(slug)) return null;
+      if (!fs.existsSync(DIR)) fs.mkdirSync(DIR, { recursive: true });
+      fs.writeFileSync(
+        path.join(DIR, sanitize(slug) + ".json"),
+        JSON.stringify(data, null, 2),
+        "utf-8",
+      );
+    },
+
+    async delete(slug) {
+      if (!safeFileName(slug)) return null;
+      const file = path.join(DIR, sanitize(slug) + ".json");
+      if (!fs.existsSync(file)) return false;
+      fs.unlinkSync(file);
+      return true;
+    },
+  };
+}

package/src/adapters/github-api.mjs

@@ -0,0 +1,91 @@
+/**
+ * Shared helpers for adapters backed by the GitHub Contents API.
+ *
+ * Returns `{ apiGet, apiPut, apiDelete }` bound to one repo. Each call returns
+ * parsed JSON (or `null` on 404 for GET) and throws on other non-2xx responses.
+ */
+export function createGitHubApi({ token, owner, repo }) {
+  const BASE = `https://api.github.com/repos/${owner}/${repo}`;
+
+  const headers = () => ({
+    Authorization: `Bearer ${token}`,
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "User-Agent": "natilon-cms",
+    "Content-Type": "application/json",
+  });
+
+  async function apiGet(path) {
+    const r = await fetch(`${BASE}${path}`, { headers: headers() });
+    if (r.status === 404) return null;
+    if (!r.ok) throw new Error(`GitHub API ${r.status} GET ${path}`);
+    return r.json();
+  }
+
+  async function apiPut(path, body) {
+    const r = await fetch(`${BASE}${path}`, {
+      method: "PUT",
+      headers: headers(),
+      body: JSON.stringify(body),
+    });
+    if (!r.ok) {
+      const err = await r.json().catch(() => ({}));
+      throw new Error(`GitHub API ${r.status} PUT ${path}: ${err.message || ""}`);
+    }
+    return r.json();
+  }
+
+  async function apiDelete(path, body) {
+    const r = await fetch(`${BASE}${path}`, {
+      method: "DELETE",
+      headers: headers(),
+      body: JSON.stringify(body),
+    });
+    if (!r.ok) throw new Error(`GitHub API ${r.status} DELETE ${path}`);
+    return r.json();
+  }
+
+  async function apiPost(path, body) {
+    const r = await fetch(`${BASE}${path}`, {
+      method: "POST",
+      headers: headers(),
+      body: JSON.stringify(body),
+    });
+    if (!r.ok) {
+      const err = await r.json().catch(() => ({}));
+      throw new Error(`GitHub API ${r.status} POST ${path}: ${err.message || ""}`);
+    }
+    return r.json();
+  }
+
+  async function apiPatch(path, body) {
+    const r = await fetch(`${BASE}${path}`, {
+      method: "PATCH",
+      headers: headers(),
+      body: JSON.stringify(body),
+    });
+    if (!r.ok) {
+      const err = await r.json().catch(() => ({}));
+      throw new Error(`GitHub API ${r.status} PATCH ${path}: ${err.message || ""}`);
+    }
+    return r.json();
+  }
+
+  async function graphql(query, variables = {}) {
+    const r = await fetch("https://api.github.com/graphql", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "User-Agent": "natilon-cms",
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ query, variables }),
+    });
+    if (!r.ok) throw new Error(`GitHub GraphQL ${r.status}`);
+    const json = await r.json();
+    if (json.errors?.length) throw new Error(json.errors[0].message);
+    return json.data;
+  }
+
+  return { apiGet, apiPut, apiDelete, apiPost, apiPatch, graphql };
+}