@setzkasten-cms/astro-admin 0.6.0 → 1.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@setzkasten-cms/astro-admin",
-  "version": "0.6.0",
+  "version": "1.1.0",
   "description": "Setzkasten Admin-UI, Init-Wizard und Adoptions-Pipeline für Astro",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
@@ -21,6 +21,8 @@
     "headless-cms"
   ],
   "exports": {
+    "./auth-setzkasten-login": "./src/api-routes/auth-setzkasten-login.ts",
+    "./global-config": "./src/api-routes/global-config.ts",
     "./auth-login": "./src/api-routes/auth-login.ts",
     "./auth-callback": "./src/api-routes/auth-callback.ts",
     "./auth-logout": "./src/api-routes/auth-logout.ts",
@@ -44,6 +46,21 @@
     "./section-commit-pending": "./src/api-routes/section-commit-pending.ts",
     "./section-delete": "./src/api-routes/section-delete.ts",
     "./section-duplicate": "./src/api-routes/section-duplicate.ts",
+    "./updater-register": "./src/api-routes/updater-register.ts",
+    "./updater-check": "./src/api-routes/updater-check.ts",
+    "./updater-transfer": "./src/api-routes/updater-transfer.ts",
+    "./updater-unbind": "./src/api-routes/updater-unbind.ts",
+    "./editors": "./src/api-routes/editors.ts",
+    "./setup-github-app": "./src/api-routes/setup-github-app.ts",
+    "./setup-github-app-callback": "./src/api-routes/setup-github-app-callback.ts",
+    "./setup-github-app-installed": "./src/api-routes/setup-github-app-installed.ts",
+    "./setup-github-app-bounce": "./src/api-routes/setup-github-app-bounce.ts",
+    "./setup-github-app-repos": "./src/api-routes/setup-github-app-repos.ts",
+    "./setup-github-app-branches": "./src/api-routes/setup-github-app-branches.ts",
+    "./websites-list": "./src/api-routes/websites-list.ts",
+    "./websites-add": "./src/api-routes/websites-add.ts",
+    "./websites-remove": "./src/api-routes/websites-remove.ts",
+    "./migrate-to-multi": "./src/api-routes/migrate-to-multi.ts",
     "./admin-page": "./src/admin-page.astro"
   },
   "devDependencies": {
@@ -51,11 +68,11 @@
   },
   "dependencies": {
     "@astrojs/compiler": "^3.0.0",
-    "@setzkasten-cms/auth": "0.6.0",
-    "@setzkasten-cms/catalog": "0.6.0",
-    "@setzkasten-cms/core": "0.6.0",
-    "@setzkasten-cms/ui": "0.6.0",
-    "@setzkasten-cms/github-adapter": "0.6.0"
+    "@setzkasten-cms/auth": "1.1.0",
+    "@setzkasten-cms/catalog": "1.1.0",
+    "@setzkasten-cms/github-adapter": "1.1.0",
+    "@setzkasten-cms/core": "1.1.0",
+    "@setzkasten-cms/ui": "1.1.0"
   },
   "peerDependencies": {
     "astro": "^5.0.0",

package/src/admin-page.astro

@@ -69,10 +69,7 @@
         try {
           const injected = (globalThis as any).__SETZKASTEN_CONFIG__ ?? {}
 
-          const providers: Array<'github' | 'google'> = []
-          if (injected.hasGitHub) providers.push('github')
-          if (injected.hasGoogle) providers.push('google')
-          if (providers.length === 0) providers.push('github')
+          const providers: Array<'github' | 'google'> = ['github']
 
           // Fetch the full user config from server
           let userConfig: any = null
@@ -81,12 +78,15 @@
             if (res.ok) userConfig = await res.json()
           } catch {}
 
-          const skConfig = userConfig ?? {
-            storage: { kind: 'github' as const },
-            auth: { providers },
+          // providers is always derived from injected flags (license-aware),
+          // so we override auth.providers regardless of what userConfig says.
+          const skConfig = {
+            storage: { kind: 'local' as const },
             theme: {},
             products: {},
             collections: {},
+            ...(userConfig ?? {}),
+            auth: { ...(userConfig?.auth ?? {}), providers },
           }
 
           // Storage params come from the config API (server-injected via SSR)
@@ -111,7 +111,7 @@
             repo,
             branch,
             assetsPath,
-            publicUrlPrefix: '/images',
+            // publicUrlPrefix is auto-derived from assetsPath by ProxyAssetStore
           })
 
           const auth = {
@@ -131,6 +131,7 @@
               createElement(AdminApp)
             )
           )
+
         } catch (error) {
           console.error('[setzkasten] Boot failed:', error)
           root.innerHTML = `

package/src/api-routes/__tests__/auth-guard.test.ts

@@ -0,0 +1,134 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { parseSession, guardPageAccess } from '../_auth-guard'
+import type { AuthSession, SetzKastenConfig } from '@setzkasten-cms/core'
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function adminSession(): AuthSession {
+  return { user: { id: '1', email: 'admin@example.com', provider: 'github', role: 'admin' }, expiresAt: Date.now() + 86400_000 }
+}
+
+function editorSession(email = 'editor@example.com'): AuthSession {
+  return { user: { id: '2', email, provider: 'google', role: 'editor' }, expiresAt: Date.now() + 86400_000 }
+}
+
+const baseConfig: SetzKastenConfig = {
+  storage: { kind: 'local' as const },
+  auth: { providers: ['github'] },
+  products: {},
+}
+
+// ---------------------------------------------------------------------------
+// parseSession
+// ---------------------------------------------------------------------------
+
+describe('parseSession', () => {
+  it('returns null for undefined input', () => {
+    expect(parseSession(undefined)).toBeNull()
+  })
+
+  it('returns null for invalid JSON', () => {
+    expect(parseSession('not-json')).toBeNull()
+  })
+
+  it('parses a valid session cookie', () => {
+    const session = adminSession()
+    expect(parseSession(JSON.stringify(session))).toEqual(session)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// guardPageAccess – dynamic editors
+// ---------------------------------------------------------------------------
+
+vi.mock('../editors', () => ({
+  readEditorsFileStatus: vi.fn(),
+}))
+
+vi.mock('../_storage-config', () => ({
+  resolveStorageConfig: vi.fn(() => ({ owner: 'test', repo: 'test', branch: 'main' })),
+}))
+
+vi.mock('../_github-token', () => ({
+  resolveConfigRepoToken: vi.fn(async () => ({ ok: true, value: 'ghs_mock' })),
+}))
+
+const { readEditorsFileStatus } = await import('../editors')
+
+beforeEach(() => {
+  vi.mocked(readEditorsFileStatus).mockReset()
+})
+
+describe('guardPageAccess – no session', () => {
+  it('returns 401 for missing session', async () => {
+    const res = await guardPageAccess(null, 'home', baseConfig)
+    expect(res?.status).toBe(401)
+  })
+})
+
+describe('guardPageAccess – admin', () => {
+  it('always passes for admin regardless of editors', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [{ email: 'other@example.com' }],
+    })
+    const res = await guardPageAccess(adminSession(), 'home', baseConfig)
+    expect(res).toBeNull()
+  })
+})
+
+describe('guardPageAccess – dynamic editors', () => {
+  it('allows editor access when listed in _editors.json', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [{ email: 'editor@example.com', pages: ['home', 'about'] }],
+    })
+    const res = await guardPageAccess(editorSession('editor@example.com'), 'home', baseConfig)
+    expect(res).toBeNull()
+  })
+
+  it('denies editor access when page not listed in _editors.json', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [{ email: 'editor@example.com', pages: ['about'] }],
+    })
+    const res = await guardPageAccess(editorSession('editor@example.com'), 'home', baseConfig)
+    expect(res?.status).toBe(403)
+  })
+
+  it('allows all pages when editor has no page restriction', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [{ email: 'editor@example.com' }],
+    })
+    const res = await guardPageAccess(editorSession('editor@example.com'), 'secret-page', baseConfig)
+    expect(res).toBeNull()
+  })
+
+  it('allows access when _editors.json is genuinely absent (404)', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({ kind: 'absent' })
+    const res = await guardPageAccess(editorSession(), 'home', baseConfig)
+    expect(res).toBeNull()
+  })
+
+  it('returns 503 when the editors fetch errors out (fail-closed)', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'error',
+      message: 'GitHub returned 500',
+    })
+    const res = await guardPageAccess(editorSession(), 'home', baseConfig)
+    expect(res?.status).toBe(503)
+  })
+
+  it('denies when dynamic editors list is empty, regardless of config', async () => {
+    vi.mocked(readEditorsFileStatus).mockResolvedValue({
+      kind: 'present',
+      editors: [],
+    })
+    // Dynamic list is empty → denied
+    const res = await guardPageAccess(editorSession('editor@example.com'), 'home', baseConfig)
+    expect(res?.status).toBe(403)
+  })
+})

package/src/api-routes/__tests__/commit-trailers.test.ts

@@ -0,0 +1,69 @@
+/**
+ * Tests for commit message trailer helpers.
+ * @vitest-environment node
+ */
+
+import { describe, it, expect } from 'vitest'
+import { withTrailers, SETZKASTEN_CO_AUTHOR } from '../_commit-trailers'
+
+describe('SETZKASTEN_CO_AUTHOR', () => {
+  it('is a valid Co-authored-by trailer', () => {
+    expect(SETZKASTEN_CO_AUTHOR).toMatch(/^Co-authored-by: .+ <.+>$/)
+  })
+})
+
+describe('withTrailers', () => {
+  it('appends the Setzkasten co-author trailer to any message', () => {
+    const result = withTrailers('content: update hero section on index')
+    expect(result).toContain(SETZKASTEN_CO_AUTHOR)
+  })
+
+  it('separates the trailer block with a blank line', () => {
+    const result = withTrailers('content: update hero section on index')
+    expect(result).toContain('\n\n')
+    const [body, trailers] = result.split('\n\n')
+    expect(body).toBe('content: update hero section on index')
+    expect(trailers).toContain('Co-authored-by:')
+  })
+
+  it('does not add editor trailer when editorEmail is not provided', () => {
+    const result = withTrailers('chore: something')
+    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    expect(lines).toHaveLength(1)
+    expect(lines[0]).toBe(SETZKASTEN_CO_AUTHOR)
+  })
+
+  it('does not add editor trailer when editorEmail is null', () => {
+    const result = withTrailers('chore: something', null)
+    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    expect(lines).toHaveLength(1)
+  })
+
+  it('adds editor Co-authored-by when editorEmail is provided', () => {
+    const result = withTrailers('content: update', 'jane.doe@example.com')
+    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    expect(lines).toHaveLength(2)
+    expect(lines[1]).toContain('jane.doe@example.com')
+  })
+
+  it('derives a readable name from the editor email local-part', () => {
+    const result = withTrailers('content: update', 'jane.doe@example.com')
+    expect(result).toContain('Co-authored-by: Jane Doe <jane.doe@example.com>')
+  })
+
+  it('handles hyphen-separated names in email', () => {
+    const result = withTrailers('content: update', 'anna-lena@example.com')
+    expect(result).toContain('Co-authored-by: Anna Lena <anna-lena@example.com>')
+  })
+
+  it('handles underscore-separated names in email', () => {
+    const result = withTrailers('content: update', 'max_mustermann@example.com')
+    expect(result).toContain('Co-authored-by: Max Mustermann <max_mustermann@example.com>')
+  })
+
+  it('preserves the original message as the first line', () => {
+    const msg = 'content: add new section on about'
+    const result = withTrailers(msg, 'editor@example.com')
+    expect(result.startsWith(msg)).toBe(true)
+  })
+})

package/src/api-routes/__tests__/github-cache.test.ts

@@ -0,0 +1,100 @@
+/**
+ * Tests for the GitHub file read cache.
+ * @vitest-environment node
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { cachedFetch, invalidateCache } from '../_github-cache'
+
+beforeEach(() => {
+  invalidateCache('test-key')
+  vi.useRealTimers()
+})
+
+describe('cachedFetch', () => {
+  it('calls fetcher on first access (cache miss)', async () => {
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    const result = await cachedFetch('test-key', 60_000, fetcher)
+    expect(result).toBe('data-v1')
+    expect(fetcher).toHaveBeenCalledOnce()
+  })
+
+  it('returns cached value without calling fetcher again (cache hit)', async () => {
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    await cachedFetch('test-key', 60_000, fetcher)
+    const result = await cachedFetch('test-key', 60_000, fetcher)
+    expect(result).toBe('data-v1')
+    expect(fetcher).toHaveBeenCalledOnce()
+  })
+
+  it('re-fetches after TTL expires', async () => {
+    vi.useFakeTimers()
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    await cachedFetch('test-key', 1_000, fetcher)
+
+    vi.advanceTimersByTime(1_001)
+    fetcher.mockResolvedValue('data-v2')
+    const result = await cachedFetch('test-key', 1_000, fetcher)
+
+    expect(result).toBe('data-v2')
+    expect(fetcher).toHaveBeenCalledTimes(2)
+  })
+
+  it('returns stale value on fetch error (stale-on-error)', async () => {
+    vi.useFakeTimers()
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    await cachedFetch('test-key', 1_000, fetcher)
+
+    vi.advanceTimersByTime(1_001)
+    fetcher.mockRejectedValue(new Error('GitHub API down'))
+    const result = await cachedFetch('test-key', 1_000, fetcher)
+
+    expect(result).toBe('data-v1')
+  })
+
+  it('throws when fetcher fails and no stale value exists', async () => {
+    const fetcher = vi.fn().mockRejectedValue(new Error('GitHub API down'))
+    await expect(cachedFetch('test-key', 60_000, fetcher)).rejects.toThrow('GitHub API down')
+  })
+
+  it('caches null values (file not found is a valid result)', async () => {
+    const fetcher = vi.fn().mockResolvedValue(null)
+    await cachedFetch('test-key', 60_000, fetcher)
+    const result = await cachedFetch('test-key', 60_000, fetcher)
+    expect(result).toBeNull()
+    expect(fetcher).toHaveBeenCalledOnce()
+  })
+
+  it('uses separate cache entries per key', async () => {
+    invalidateCache('key-a')
+    invalidateCache('key-b')
+    const fetcherA = vi.fn().mockResolvedValue('a')
+    const fetcherB = vi.fn().mockResolvedValue('b')
+    const [a, b] = await Promise.all([
+      cachedFetch('key-a', 60_000, fetcherA),
+      cachedFetch('key-b', 60_000, fetcherB),
+    ])
+    expect(a).toBe('a')
+    expect(b).toBe('b')
+    invalidateCache('key-a')
+    invalidateCache('key-b')
+  })
+})
+
+describe('invalidateCache', () => {
+  it('forces re-fetch after invalidation', async () => {
+    const fetcher = vi.fn().mockResolvedValue('data-v1')
+    await cachedFetch('test-key', 60_000, fetcher)
+
+    invalidateCache('test-key')
+    fetcher.mockResolvedValue('data-v2')
+    const result = await cachedFetch('test-key', 60_000, fetcher)
+
+    expect(result).toBe('data-v2')
+    expect(fetcher).toHaveBeenCalledTimes(2)
+  })
+
+  it('is a no-op for unknown keys', () => {
+    expect(() => invalidateCache('nonexistent-key')).not.toThrow()
+  })
+})

package/src/api-routes/__tests__/github-token-for-request.test.ts

@@ -0,0 +1,112 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { type Result, type WebsiteEntry, ok } from '@setzkasten-cms/core'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { resolveGitHubTokenForRequest } from '../_github-token'
+import { __resetWebsiteResolverForTests } from '../_website-resolver'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+const ENTRY_A: WebsiteEntry = {
+  id: 'a',
+  name: 'A',
+  repo: 'acme/a',
+  branch: 'main',
+  previewOrigin: 'https://a.example.com',
+  githubApp: { appId: '11', installationId: '101' },
+}
+
+const ENTRY_B: WebsiteEntry = {
+  id: 'b',
+  name: 'B',
+  repo: 'acme/b',
+  branch: 'main',
+  previewOrigin: 'https://b.example.com',
+  githubApp: { appId: '11', installationId: '202' },
+}
+
+function makeRegistry(entries: readonly WebsiteEntry[]) {
+  return {
+    list: vi.fn(async (): Promise<Result<readonly WebsiteEntry[]>> => ok(entries)),
+    get: vi.fn(async (id: string): Promise<Result<WebsiteEntry | null>> => {
+      return ok(entries.find((e) => e.id === id) ?? null)
+    }),
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+})
+
+afterEach(() => {
+  __resetWebsiteResolverForTests(null)
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+})
+
+describe('resolveGitHubTokenForRequest', () => {
+  it('uses the resolved website installation id when calling GitHub', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A, ENTRY_B]),
+    })
+
+    const fetchMock = vi.fn(async (_url: string, _init?: RequestInit) => ({
+      ok: true,
+      json: async () => ({
+        token: 'ghs_token_for_b',
+        expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+      }),
+    }))
+    vi.stubGlobal('fetch', fetchMock)
+
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'b' },
+    })
+
+    const result = await resolveGitHubTokenForRequest(req)
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value).toBe('ghs_token_for_b')
+
+    const calledUrl = fetchMock.mock.calls[0]?.[0]
+    expect(calledUrl ?? '').toContain('/app/installations/202/access_tokens')
+  })
+
+  it('returns auth-error when resolver fails', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A]),
+    })
+
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'unknown' },
+    })
+
+    const result = await resolveGitHubTokenForRequest(req)
+
+    expect(result.ok).toBe(false)
+  })
+
+  it('returns auth-error when GITHUB_APP_PRIVATE_KEY is missing', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A]),
+    })
+    vi.unstubAllEnvs()
+
+    const req = new Request('https://cms.example.com/x', {
+      headers: { 'x-sk-website': 'a' },
+    })
+
+    const result = await resolveGitHubTokenForRequest(req)
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) expect(result.error.type).toBe('auth')
+  })
+})

package/src/api-routes/__tests__/github-token.test.ts

@@ -0,0 +1,78 @@
+/**
+ * Tests for _github-token.ts
+ *
+ * Covers:
+ *   1. GitHub App vars gesetzt → gibt Installation Access Token zurück
+ *   2. Nicht alle Vars gesetzt → auth error Result
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { generateKeyPairSync } from 'node:crypto'
+
+const { privateKey: TEST_KEY } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const TEST_PRIVATE_KEY_PEM = TEST_KEY.export({ type: 'pkcs8', format: 'pem' }) as string
+
+function setEnv(vars: Record<string, string | undefined>) {
+  for (const [key, value] of Object.entries(vars)) {
+    if (value === undefined) {
+      delete process.env[key]
+    } else {
+      process.env[key] = value
+    }
+  }
+}
+
+function clearAppEnv() {
+  setEnv({
+    GITHUB_APP_ID: undefined,
+    GITHUB_APP_PRIVATE_KEY: undefined,
+    GITHUB_APP_INSTALLATION_ID: undefined,
+  })
+}
+
+describe('resolveConfigRepoToken', () => {
+  beforeEach(() => {
+    clearAppEnv()
+    vi.stubGlobal('fetch', vi.fn())
+  })
+
+  afterEach(() => {
+    clearAppEnv()
+    vi.restoreAllMocks()
+  })
+
+  it('gibt Installation-Token zurück wenn alle GITHUB_APP_*-Vars gesetzt sind', async () => {
+    setEnv({
+      GITHUB_APP_ID: '123456',
+      GITHUB_APP_PRIVATE_KEY: TEST_PRIVATE_KEY_PEM,
+      GITHUB_APP_INSTALLATION_ID: '42000000',
+    })
+
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({
+        token: 'ghs_installation_token',
+        expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+      }),
+    } as Response)
+
+    const { resolveConfigRepoToken } = await import('../_github-token')
+    const result = await resolveConfigRepoToken()
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value).toBe('ghs_installation_token')
+    expect(vi.mocked(fetch)).toHaveBeenCalledWith(
+      expect.stringContaining('/app/installations/42000000/access_tokens'),
+      expect.objectContaining({ method: 'POST' }),
+    )
+  })
+
+  it('gibt auth error zurück wenn GITHUB_APP_*-Vars fehlen', async () => {
+    const { resolveConfigRepoToken } = await import('../_github-token')
+    const result = await resolveConfigRepoToken()
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) expect(result.error.type).toBe('auth')
+    expect(vi.mocked(fetch)).not.toHaveBeenCalled()
+  })
+})

package/src/api-routes/__tests__/global-config-theme.test.ts

@@ -0,0 +1,71 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('../_storage-config', () => ({
+  resolveStorageConfig: vi.fn(() => ({ owner: 'o', repo: 'r', branch: 'main' })),
+}))
+
+vi.stubGlobal('__SETZKASTEN_CONFIG__', { storage: { contentPath: 'content' } })
+
+describe('GlobalConfig – theme field', () => {
+  it('GlobalConfig type accepts a theme object', async () => {
+    const { } = await import('../global-config')
+    // Type-level check: if this compiles the type is correct
+    const cfg = {
+      theme: { primaryColor: '#ff0000', brandName: 'Acme', logo: '/logo.png' },
+    }
+    expect(cfg.theme.primaryColor).toBe('#ff0000')
+    expect(cfg.theme.brandName).toBe('Acme')
+  })
+
+  it('GlobalConfig theme fields are all optional', async () => {
+    const cfg = { theme: {} }
+    expect(cfg.theme).toBeDefined()
+  })
+})
+
+describe('config.ts – theme merge', () => {
+  beforeEach(() => {
+    vi.resetModules()
+  })
+
+  it('merges global theme over static config theme', async () => {
+    vi.doMock('../global-config', () => ({
+      readGlobalConfig: vi.fn(async () => ({
+        theme: { primaryColor: '#abc123', brandName: 'Dynamic Brand' },
+      })),
+    }))
+
+    vi.stubGlobal('__SETZKASTEN_FULL_CONFIG__', {
+      theme: { primaryColor: '#ffffff', brandName: 'Static Brand', logo: '/logo.png' },
+      auth: { providers: ['github'] },
+      products: {},
+    })
+
+    const { GET } = await import('../config')
+    const res = await GET({} as any)
+    const body = await res.json() as any
+
+    expect(body.theme.primaryColor).toBe('#abc123')
+    expect(body.theme.brandName).toBe('Dynamic Brand')
+    expect(body.theme.logo).toBe('/logo.png') // static fallback preserved
+  })
+
+  it('uses static theme when global config has no theme', async () => {
+    vi.doMock('../global-config', () => ({
+      readGlobalConfig: vi.fn(async () => ({ firebaseConfig: null })),
+    }))
+
+    vi.stubGlobal('__SETZKASTEN_FULL_CONFIG__', {
+      theme: { primaryColor: '#ffffff', brandName: 'Static Brand' },
+      auth: { providers: ['github'] },
+      products: {},
+    })
+
+    const { GET } = await import('../config')
+    const res = await GET({} as any)
+    const body = await res.json() as any
+
+    expect(body.theme.primaryColor).toBe('#ffffff')
+    expect(body.theme.brandName).toBe('Static Brand')
+  })
+})