@setzkasten-cms/astro-admin 0.6.0 → 0.8.0

package/src/api-routes/auth-setzkasten-login.ts

@@ -0,0 +1,60 @@
+import type { APIRoute } from 'astro'
+import { verifyFirebaseJwt } from '@setzkasten-cms/auth'
+import { readEditorsFile } from './editors'
+import { readGlobalConfig } from './global-config'
+import { resolveStorageConfig } from './_storage-config'
+
+/**
+ * POST /api/setzkasten/auth/setzkasten-login
+ * Body: { idToken: string }  — Firebase ID token from signInWithPopup
+ *
+ * Verifies the Firebase JWT against Firebase's public JWKS (no secret needed).
+ * Access is gated exclusively by _editors.json (fail-closed).
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const body = await request.json().catch(() => null)
+  const idToken = body?.idToken as string | undefined
+
+  if (!idToken) {
+    return new Response('Missing idToken', { status: 400 })
+  }
+
+  const storage = resolveStorageConfig()
+  if (!storage) {
+    return new Response('Storage not configured', { status: 500 })
+  }
+  const { owner, repo, branch } = storage
+  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const contentPath: string = serverConfig?.storage?.contentPath ?? 'content'
+  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN ?? ''
+
+  // Verify that SetzKastenLogin is configured (firebaseConfig must exist in global config)
+  const globalCfg = await readGlobalConfig().catch(() => null)
+  if (!globalCfg?.firebaseConfig) {
+    return new Response('SetzKastenLogin not configured', { status: 500 })
+  }
+
+  // Read editors list — fail-closed: if unreadable, deny all logins
+  const editors = await readEditorsFile(owner, repo, branch, contentPath, githubToken)
+  if (editors === null) {
+    return new Response('Editors list unavailable — no access granted', { status: 503 })
+  }
+
+  const allowedEmails = editors.map((e) => e.email)
+  const result = await verifyFirebaseJwt(idToken, allowedEmails)
+
+  if (!result.ok) {
+    return new Response(result.error.message, { status: 403 })
+  }
+
+  const session = result.value
+  cookies.set('setzkasten_session', JSON.stringify({ user: session.user, expiresAt: session.expiresAt }), {
+    httpOnly: true,
+    secure: import.meta.env.PROD,
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 60 * 60 * 24 * 7,
+  })
+
+  return Response.json({ ok: true })
+}

package/src/api-routes/catalog-add.ts

@@ -3,6 +3,8 @@ import { registry } from '@setzkasten-cms/catalog'
 import { resolveStorageConfig, prefixPath } from './_storage-config'
 import { validateCatalogAddBody, buildCatalogAddCommit } from './catalog-helpers'
 import { generateAddKey, addToPageConfig } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
 
 /**
  * POST /api/setzkasten/catalog/add
@@ -37,8 +39,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const { owner, repo, branch, projectPrefix } = storage
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = (body.contentPath as string) || serverConfig?.storage?.contentPath || 'content'
 
+    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -82,7 +88,10 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) },
         { path: sectionJsonPath, content: JSON.stringify(template.defaultContent, null, 2) },
       ],
-      `content: add catalog template "${templateName}" as "${sectionKey}" to ${pageKey}`,
+      withTrailers(
+        `content: add catalog template "${templateName}" as "${sectionKey}" to ${pageKey}`,
+        parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
+      ),
       headers,
     )
 

package/src/api-routes/config.ts

@@ -1,4 +1,5 @@
 import type { APIRoute } from 'astro'
+import { readGlobalConfig } from './global-config'
 
 /**
  * Returns the full SetzKastenConfig as JSON.
@@ -10,6 +11,8 @@ export const GET: APIRoute = async () => {
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ ?? {}
   const ssrConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as Record<string, unknown> | undefined
 
+  const globalCfg = await readGlobalConfig().catch(() => null)
+
   const result = {
     storage: { kind: 'github' },
     auth: { providers: ['github'] },
@@ -21,6 +24,8 @@ export const GET: APIRoute = async () => {
     _storage: ssrConfig?.storage ?? undefined,
     _hasGitHub: ssrConfig?.hasGitHub ?? false,
     _hasGoogle: ssrConfig?.hasGoogle ?? false,
+    // SetzKastenLogin Firebase config (present only when license is valid)
+    _firebaseConfig: globalCfg?.firebaseConfig ?? null,
   }
 
   return new Response(JSON.stringify(result), {

package/src/api-routes/editors.ts

@@ -0,0 +1,136 @@
+import type { APIRoute } from 'astro'
+import { resolveStorageConfig } from './_storage-config'
+import { parseSession } from './_auth-guard'
+import type { ContentEditorConfig } from '@setzkasten-cms/core'
+import { cachedFetch, invalidateCache } from './_github-cache'
+import { withTrailers } from './_commit-trailers'
+
+const EDITORS_FILE = (contentPath: string) => `${contentPath}/_editors.json`
+
+// ---------------------------------------------------------------------------
+// GET /api/setzkasten/editors
+// Returns the current editors list from _editors.json.
+// Any authenticated user may read this (needed for the page-filter in the UI).
+// ---------------------------------------------------------------------------
+
+export const GET: APIRoute = async ({ cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+
+  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
+  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+
+  const storage = resolveStorageConfig()
+  if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
+
+  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const contentPath = serverConfig?.storage?.contentPath ?? 'content'
+  const { owner, repo, branch } = storage
+
+  const raw = await readEditorsFile(owner, repo, branch, contentPath, githubToken)
+  return Response.json(raw ?? [])
+}
+
+// ---------------------------------------------------------------------------
+// PUT /api/setzkasten/editors
+// Replaces the editors list. Admin-only.
+// Body: ContentEditorConfig[]
+// ---------------------------------------------------------------------------
+
+export const PUT: APIRoute = async ({ request, cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+  if (session.user.role !== 'admin') return new Response('Forbidden', { status: 403 })
+
+  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
+  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+
+  const storage = resolveStorageConfig()
+  if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
+
+  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const contentPath = serverConfig?.storage?.contentPath ?? 'content'
+  const { owner, repo, branch } = storage
+
+  let editors: ContentEditorConfig[]
+  try {
+    editors = (await request.json()) as ContentEditorConfig[]
+    if (!Array.isArray(editors)) throw new Error('Expected array')
+  } catch {
+    return Response.json({ error: 'Invalid request body' }, { status: 400 })
+  }
+
+  const filePath = EDITORS_FILE(contentPath)
+  const fileContent = JSON.stringify(editors, null, 2)
+  const headers = {
+    Authorization: `Bearer ${githubToken}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'Content-Type': 'application/json',
+  }
+
+  // Get current SHA if the file already exists (needed for updates)
+  const existing = await fetchFileSha(owner, repo, branch, filePath, headers)
+
+  const body: Record<string, unknown> = {
+    message: withTrailers('chore(editors): update content editor permissions'),
+    content: Buffer.from(fileContent).toString('base64'),
+    branch,
+  }
+  if (existing) body.sha = existing
+
+  const res = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
+    { method: 'PUT', headers, body: JSON.stringify(body) },
+  )
+
+  if (!res.ok) {
+    const text = await res.text()
+    return Response.json({ error: `GitHub write failed: ${text}` }, { status: 502 })
+  }
+
+  invalidateCache(`editors:${owner}/${repo}:${branch}`)
+  return Response.json({ ok: true })
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+async function fetchFileSha(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  headers: Record<string, string>,
+): Promise<string | null> {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers },
+    )
+    if (!res.ok) return null
+    const data = await res.json() as { sha: string }
+    return data.sha ?? null
+  } catch { return null }
+}
+
+export async function readEditorsFile(
+  owner: string,
+  repo: string,
+  branch: string,
+  contentPath: string,
+  token: string,
+): Promise<ContentEditorConfig[] | null> {
+  const key = `editors:${owner}/${repo}:${branch}`
+  return cachedFetch(key, 2 * 60_000, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${EDITORS_FILE(contentPath)}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+    )
+    if (!res.ok) return null
+    const data = await res.json() as { content: string; encoding: string }
+    const raw = data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
+    return JSON.parse(raw) as ContentEditorConfig[]
+  })
+}

package/src/api-routes/global-config.ts

@@ -0,0 +1,132 @@
+import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
+import { resolveStorageConfig } from './_storage-config'
+import { cachedFetch, invalidateCache } from './_github-cache'
+import { withTrailers } from './_commit-trailers'
+
+const GLOBAL_CONFIG_FILE = (contentPath: string) => `${contentPath}/_global_config.json`
+
+export interface GlobalConfig {
+  firebaseConfig?: {
+    apiKey: string
+    authDomain: string
+    projectId: string
+  }
+}
+
+// ---------------------------------------------------------------------------
+// GET /api/setzkasten/global-config — any authenticated user
+// ---------------------------------------------------------------------------
+
+export const GET: APIRoute = async ({ cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+
+  const cfg = await readGlobalConfig()
+  return Response.json(cfg ?? {})
+}
+
+// ---------------------------------------------------------------------------
+// PUT /api/setzkasten/global-config — admin only
+// ---------------------------------------------------------------------------
+
+export const PUT: APIRoute = async ({ request, cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+  if (session.user.role !== 'admin') return new Response('Forbidden', { status: 403 })
+
+  let patch: Partial<GlobalConfig>
+  try {
+    patch = (await request.json()) as Partial<GlobalConfig>
+  } catch {
+    return Response.json({ error: 'Invalid request body' }, { status: 400 })
+  }
+
+  const current = await readGlobalConfig() ?? {}
+  const next: GlobalConfig = { ...current }
+  for (const [k, v] of Object.entries(patch)) {
+    if (v === null) delete (next as Record<string, unknown>)[k]
+    else (next as Record<string, unknown>)[k] = v
+  }
+  await writeGlobalConfig(next)
+  return Response.json({ ok: true })
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function getStorageParams() {
+  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const storage = resolveStorageConfig()
+  if (!storage) return null
+  return {
+    owner: storage.owner,
+    repo: storage.repo,
+    branch: storage.branch,
+    contentPath: serverConfig?.storage?.contentPath ?? 'content',
+    token: (import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN ?? '') as string,
+  }
+}
+
+export async function readGlobalConfig(): Promise<GlobalConfig | null> {
+  const params = getStorageParams()
+  if (!params) return null
+  const { owner, repo, branch, contentPath, token } = params
+  const key = `global-config:${owner}/${repo}:${branch}`
+  return cachedFetch(key, 5 * 60_000, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${GLOBAL_CONFIG_FILE(contentPath)}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+    )
+    if (!res.ok) return null
+    const data = await res.json() as { content: string; encoding: string }
+    const raw = data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+    return JSON.parse(raw) as GlobalConfig
+  })
+}
+
+export async function writeGlobalConfig(config: GlobalConfig): Promise<void> {
+  const params = getStorageParams()
+  if (!params) throw new Error('Storage not configured')
+  const { owner, repo, branch, contentPath, token } = params
+  invalidateCache(`global-config:${owner}/${repo}:${branch}`)
+  const filePath = GLOBAL_CONFIG_FILE(contentPath)
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'Content-Type': 'application/json',
+  }
+
+  // Get current SHA if file exists
+  let sha: string | undefined
+  try {
+    const existing = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}?ref=${branch}`,
+      { headers },
+    )
+    if (existing.ok) {
+      const data = await existing.json() as { sha: string }
+      sha = data.sha
+    }
+  } catch { /* file doesn't exist yet */ }
+
+  const body: Record<string, unknown> = {
+    message: withTrailers('chore(config): update global config'),
+    content: Buffer.from(JSON.stringify(config, null, 2)).toString('base64'),
+    branch,
+  }
+  if (sha) body.sha = sha
+
+  const res = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
+    { method: 'PUT', headers, body: JSON.stringify(body) },
+  )
+  if (!res.ok) {
+    const text = await res.text()
+    throw new Error(`GitHub write failed: ${text}`)
+  }
+}

package/src/api-routes/init-add-section.ts

@@ -4,6 +4,7 @@ import { addSectionToConfig } from '@setzkasten-cms/core/init'
 import { resolveStorageConfig, prefixPath } from './_storage-config'
 import { patchTemplateForFields, stripTemplateFallbacks } from '../init/template-patcher-v2'
 import type { RepeatedGroup } from '../init/analyzer-types'
+import { withTrailers } from './_commit-trailers'
 
 /**
  * POST /api/setzkasten/init/add-section
@@ -84,7 +85,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     // Only add values for fields that don't already exist
     for (const field of section.fields) {
       if (!(field.key in sectionData)) {
-        sectionData[field.key] = field.defaultValue ?? getDefaultValue(field.type)
+        let value = field.defaultValue ?? getDefaultValue(field.type)
+        if (Array.isArray(value)) value = value.filter((item: unknown) => item != null)
+        sectionData[field.key] = value
       }
     }
 
@@ -208,7 +211,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         for (const g of repeatedGroups) {
           const topField = fields.find(f => f.key === g.fieldKey)
           if (!topField || !Array.isArray(topField.defaultValue)) continue
-          sectionData[g.fieldKey] = topField.defaultValue
+          sectionData[g.fieldKey] = (topField.defaultValue as unknown[]).filter(item => item != null)
           const jsonIdx = filesToCommit.findIndex(f => f.path === sectionJsonPath)
           if (jsonIdx !== -1) {
             filesToCommit[jsonIdx]!.content = JSON.stringify(sectionData, null, 2)
@@ -232,7 +235,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         for (const g of repeatedGroups) {
           const topField = fields.find(f => f.key === g.fieldKey)
           if (!topField || !Array.isArray(topField.defaultValue)) continue
-          const items = topField.defaultValue as Array<Record<string, unknown>>
+          const items = (topField.defaultValue as Array<Record<string, unknown>>).filter(item => item != null)
 
           // Update sectionData with the enriched items array
           sectionData[g.fieldKey] = items
@@ -279,9 +282,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       repo,
       branch,
       filesToCommit,
-      existingSectionJson
+      withTrailers(existingSectionJson
         ? `content: update ${section.key} section — add new fields`
-        : `content: add ${section.key} section to Setzkasten`,
+        : `content: add ${section.key} section to Setzkasten`),
       headers,
     )
 

package/src/api-routes/init-apply.ts

@@ -2,6 +2,7 @@ import type { APIRoute } from 'astro'
 import { generateConfigFile, type InferredSection, type ConfigGeneratorInput } from '@setzkasten-cms/core/init'
 import { patchAstroConfig } from '../init/astro-config-patcher'
 import { patchTemplateForFields } from '../init/template-patcher-v2'
+import { withTrailers } from './_commit-trailers'
 
 interface ApplyRequest {
   owner: string
@@ -115,7 +116,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       repo,
       branch,
       filesToCommit,
-      'feat: initialize Setzkasten CMS',
+      withTrailers('feat: initialize Setzkasten CMS'),
       githubToken,
     )
 

package/src/api-routes/init-migrate.ts

@@ -2,6 +2,7 @@ import type { APIRoute } from 'astro'
 import type { SetzKastenConfig } from '@setzkasten-cms/core'
 import { resolveStorageConfig, prefixPath } from './_storage-config'
 import { patchTemplateForFields } from '../init/template-patcher-v2'
+import { withTrailers } from './_commit-trailers'
 
 /**
  * POST /api/setzkasten/init/migrate
@@ -108,7 +109,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       repo,
       branch,
       [{ path: componentPath, content: patched }],
-      `chore: add live-preview bindings to ${sectionKey} section`,
+      withTrailers(`chore: add live-preview bindings to ${sectionKey} section`),
       headers,
     )
 

package/src/api-routes/pages.ts

@@ -1,14 +1,32 @@
 import type { APIRoute } from 'astro'
 
+interface PageInfo {
+  path: string
+  pageKey: string
+  label: string
+  hasConfig: boolean
+}
+
+// Build-time constant injected by the Vite define plugin — always available in
+// compiled API routes (unlike page-ssr injectScript which only runs for SSR pages).
+declare const __SETZKASTEN_PAGES__: PageInfo[] | undefined
+
+/**
+ * Returns the list of pages scanned at build time.
+ * Reads the Vite build-time constant first; falls back to globalThis for
+ * local dev / test environments where the define is not applied.
+ */
+export function resolvePages(): PageInfo[] {
+  const buildPages = typeof __SETZKASTEN_PAGES__ !== 'undefined' ? __SETZKASTEN_PAGES__ : null
+  return buildPages ?? (globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ as PageInfo[] ?? []
+}
+
 /**
- * Returns the list of pages detected at build time.
- * The pages are scanned from src/pages/ by the integration hook
- * and injected into globalThis.__SETZKASTEN_PAGES__.
- *
  * GET /api/setzkasten/pages
+ * Returns the list of pages detected at build time.
  */
 export const GET: APIRoute = async () => {
-  const pages = (globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ ?? []
+  const pages = resolvePages()
 
   return new Response(JSON.stringify({ pages }), {
     status: 200,

package/src/api-routes/section-add.ts

@@ -1,6 +1,8 @@
 import type { APIRoute } from 'astro'
 import { resolveStorageConfig, prefixPath } from './_storage-config'
 import { generateAddKey, addToPageConfig } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
 
 /**
  * POST /api/setzkasten/sections/add
@@ -47,6 +49,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionType are required' }, { status: 400 })
     }
 
+    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -97,7 +102,10 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) },
         { path: sectionJsonPath, content: JSON.stringify(defaultContent, null, 2) },
       ],
-      `content: add ${sectionType} section "${newKey}" to ${pageKey}`,
+      withTrailers(
+        `content: add ${sectionType} section "${newKey}" to ${pageKey}`,
+        parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
+      ),
       headers,
     )
 

package/src/api-routes/section-commit-pending.ts

@@ -2,6 +2,8 @@ import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
 import { resolveStorageConfig } from './_storage-config'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
 
 /**
  * POST /api/setzkasten/sections/commit-pending
@@ -40,6 +42,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const { owner, repo, branch } = storage
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = body.contentPath || serverConfig?.storage?.contentPath || 'content'
     const { pageKey, pageConfig, sections, edits = [] } = body
 
@@ -47,6 +50,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey, pageConfig, and sections are required' }, { status: 400 })
     }
 
+    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -79,7 +85,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       const keys = edits.map(s => s.key).join(', ')
       parts.push(`update ${edits.length} section${edits.length > 1 ? 's' : ''} (${keys})`)
     }
-    const commitMessage = `content: ${parts.length > 0 ? parts.join(', ') : 'update page config'} on ${pageKey}`
+    const editorEmail = parseSession(cookies.get('setzkasten_session')?.value)?.user?.email
+    const commitMessage = withTrailers(
+      `content: ${parts.length > 0 ? parts.join(', ') : 'update page config'} on ${pageKey}`,
+      editorEmail,
+    )
     const commitResult = await batchCommit(owner, repo, branch, files, commitMessage, headers)
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })

package/src/api-routes/section-delete.ts

@@ -1,6 +1,8 @@
 import type { APIRoute } from 'astro'
 import { resolveStorageConfig, prefixPath } from './_storage-config'
 import { removeFromPageConfig } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
 
 /**
  * DELETE /api/setzkasten/sections
@@ -34,6 +36,7 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
     const { owner, repo, branch, projectPrefix } = storage
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = body.contentPath || serverConfig?.storage?.contentPath || 'content'
     const { pageKey, sectionKey } = body
 
@@ -41,6 +44,9 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
 
+    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -65,7 +71,10 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       owner, repo, branch,
       [{ path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) }],
       [sectionJsonPath],
-      `content: remove ${sectionKey} section from ${pageKey}`,
+      withTrailers(
+        `content: remove ${sectionKey} section from ${pageKey}`,
+        parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
+      ),
       headers,
     )
 

package/src/api-routes/section-duplicate.ts

@@ -1,6 +1,8 @@
 import type { APIRoute } from 'astro'
 import { resolveStorageConfig, prefixPath } from './_storage-config'
 import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
 
 /**
  * POST /api/setzkasten/sections/duplicate
@@ -34,6 +36,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const { owner, repo, branch, projectPrefix } = storage
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = body.contentPath || serverConfig?.storage?.contentPath || 'content'
     const { pageKey, sectionKey } = body
 
@@ -41,6 +44,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
 
+    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -77,7 +83,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     }
 
     const commitResult = await batchCommit(owner, repo, branch, filesToCommit,
-      `content: duplicate ${sectionKey} → ${newKey} on ${pageKey}`, headers)
+      withTrailers(
+        `content: duplicate ${sectionKey} → ${newKey} on ${pageKey}`,
+        parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
+      ),
+      headers)
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })