@setzkasten-cms/astro-admin 0.6.0 → 1.1.0

package/src/api-routes/setup-github-app-callback.ts

@@ -0,0 +1,53 @@
+import type { APIRoute } from 'astro'
+import { getPublicOrigin } from './_vercel-origin.js'
+
+const COOKIE_NAME = 'sk_app_setup'
+const COOKIE_MAX_AGE = 600 // 10 minutes
+
+/**
+ * Receives the code from GitHub after a GitHub App Manifest creation.
+ * Exchanges it for the full app credentials (App ID, private key, slug).
+ *
+ * GET /api/setzkasten/setup/github-app/callback?code=xxx
+ *
+ * Note: uses mutable new Response() instead of Response.redirect() —
+ * Response.redirect() is immutable and prevents Astro from appending
+ * the Set-Cookie header (TypeError: immutable).
+ */
+export const GET: APIRoute = async ({ url, request, cookies }) => {
+  const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { adminPath?: string }
+    | undefined
+  const adminPath = config?.adminPath ?? '/admin'
+  const adminUrl = new URL(adminPath, getPublicOrigin(request))
+  const code = url.searchParams.get('code')
+
+  if (!code) {
+    adminUrl.searchParams.set('github-app-error', 'missing_code')
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+  }
+
+  let data: { id: number; slug: string; pem: string } | null = null
+  try {
+    const response = await fetch(`https://api.github.com/app-manifests/${code}/conversions`, {
+      method: 'POST',
+      headers: { Accept: 'application/vnd.github.v3+json' },
+      signal: AbortSignal.timeout(8000),
+    })
+    if (!response.ok) throw new Error(`GitHub returned ${response.status}`)
+    data = (await response.json()) as typeof data
+  } catch {
+    adminUrl.searchParams.set('github-app-error', 'exchange_failed')
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+  }
+
+  // Set cookie before constructing the redirect response —
+  // Response.redirect() is immutable and blocks subsequent header writes.
+  cookies.set(
+    COOKIE_NAME,
+    JSON.stringify({ appId: String(data!.id), slug: data!.slug, privateKey: data!.pem }),
+    { httpOnly: false, sameSite: 'lax', maxAge: COOKIE_MAX_AGE, path: '/' },
+  )
+
+  return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+}

package/src/api-routes/setup-github-app-installed.ts

@@ -0,0 +1,44 @@
+import type { APIRoute } from 'astro'
+import { getPublicOrigin } from './_vercel-origin.js'
+
+const COOKIE_NAME = 'sk_app_setup'
+const COOKIE_MAX_AGE = 600
+
+/**
+ * Receives the installation_id from GitHub after the user installs the App.
+ * Merges it into the existing setup cookie and redirects back to the admin.
+ *
+ * GET /api/setzkasten/setup/github-app/installed?installation_id=xxx
+ *
+ * Note: uses mutable new Response() instead of Response.redirect() —
+ * Response.redirect() is immutable and prevents Astro from appending
+ * the Set-Cookie header (TypeError: immutable).
+ */
+export const GET: APIRoute = async ({ url, request, cookies }) => {
+  const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { adminPath?: string }
+    | undefined
+  const adminPath = config?.adminPath ?? '/admin'
+  const adminUrl = new URL(adminPath, getPublicOrigin(request))
+  const installationId = url.searchParams.get('installation_id')
+  const existing = cookies.get(COOKIE_NAME)?.value
+
+  if (!installationId || !existing) {
+    adminUrl.searchParams.set('github-app-error', 'missing_installation')
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+  }
+
+  try {
+    const data = JSON.parse(existing) as Record<string, string>
+    cookies.set(
+      COOKIE_NAME,
+      JSON.stringify({ ...data, installationId }),
+      { httpOnly: false, sameSite: 'lax', maxAge: COOKIE_MAX_AGE, path: '/' },
+    )
+  } catch {
+    adminUrl.searchParams.set('github-app-error', 'invalid_session')
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+  }
+
+  return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+}

package/src/api-routes/setup-github-app-repos.ts

@@ -0,0 +1,46 @@
+import type { APIRoute } from 'astro'
+import { listAccessibleRepos } from '@setzkasten-cms/github-adapter'
+import { requireAdmin } from './_auth-guard'
+
+/**
+ * GET /api/setzkasten/setup/github-app/repos
+ *
+ * Returns every repository the configured GitHub App can access, flattened
+ * across all installations. Each entry includes the installationId so the
+ * "Neue Website hinzufügen" form can record which installation owns the
+ * repo without a follow-up lookup.
+ *
+ * Admin-only — editors must not be able to enumerate repos across the
+ * organization. The endpoint uses the global App credentials from the env
+ * (GITHUB_APP_ID, GITHUB_APP_PRIVATE_KEY) so the user never has to type them.
+ */
+export const GET: APIRoute = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const appId = process.env.GITHUB_APP_ID
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
+  if (!appId || !privateKey) {
+    return new Response(
+      JSON.stringify({
+        error:
+          'GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.',
+      }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  const result = await listAccessibleRepos({ appId, privateKey })
+  if (!result.ok) {
+    const status = result.error.type === 'auth' ? 401 : 502
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  return new Response(JSON.stringify({ repos: result.value }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/api-routes/setup-github-app.ts

@@ -0,0 +1,58 @@
+import type { APIRoute } from 'astro'
+import { GitHubAppClient } from '@setzkasten-cms/github-adapter'
+
+/**
+ * Setup-Wizard: GitHub App Integration
+ *
+ * GET  /api/setzkasten/setup/github-app  – Status abfragen
+ * POST /api/setzkasten/setup/github-app  – Verbindung testen
+ *
+ * Credentials werden NICHT persistiert – der Nutzer setzt die env vars manuell.
+ * Der POST-Endpunkt validiert die Verbindung durch einen echten Token-Request.
+ */
+
+export const GET: APIRoute = async () => {
+  const appId = process.env.GITHUB_APP_ID
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
+  const installationId = process.env.GITHUB_APP_INSTALLATION_ID
+
+  const configured = Boolean(appId && privateKey && installationId)
+
+  return Response.json({ configured, ...(configured ? { appId } : {}) })
+}
+
+export const POST: APIRoute = async ({ request }) => {
+  let body: unknown
+  try {
+    body = await request.json()
+  } catch {
+    return Response.json({ error: 'Invalid JSON body' }, { status: 400 })
+  }
+
+  const { appId, privateKey, installationId } =
+    (body as Record<string, unknown>) ?? {}
+
+  if (!appId || !privateKey || !installationId) {
+    return Response.json(
+      { error: 'appId, privateKey and installationId are required' },
+      { status: 400 },
+    )
+  }
+
+  const client = new GitHubAppClient(
+    {
+      appId: String(appId),
+      privateKey: String(privateKey),
+      installationId: String(installationId),
+    },
+    { owner: '', repo: '', branch: '' },
+  )
+
+  const result = await client.getInstallationToken()
+
+  if (!result.ok) {
+    return Response.json({ ok: false, error: result.error.message }, { status: 400 })
+  }
+
+  return Response.json({ ok: true })
+}

package/src/api-routes/updater-check.ts

@@ -0,0 +1,49 @@
+import type { APIRoute } from 'astro'
+
+/**
+ * Lightweight update check without re-registration.
+ *
+ * GET /api/setzkasten/updater/check?instanceId=X
+ */
+export const GET: APIRoute = async ({ cookies, url }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
+  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as {
+    updaterUrl?: string
+    version?: string
+  } | undefined
+
+  const updaterUrl = config?.updaterUrl
+  if (!updaterUrl) {
+    return Response.json({
+      updateAvailable: false,
+      latestVersion: config?.version ?? 'unknown',
+      releaseNotesUrl: '',
+    })
+  }
+
+  const instanceId = url.searchParams.get('instanceId') ?? ''
+
+  try {
+    const response = await fetch(
+      `${updaterUrl}/api/check-update?instanceId=${encodeURIComponent(instanceId)}`,
+      { signal: AbortSignal.timeout(5000) },
+    )
+
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`)
+    }
+
+    const data = await response.json()
+    return Response.json(data)
+  } catch {
+    return Response.json({
+      updateAvailable: false,
+      latestVersion: config?.version ?? 'unknown',
+      releaseNotesUrl: '',
+    })
+  }
+}

package/src/api-routes/updater-register.ts

@@ -0,0 +1,90 @@
+import type { APIRoute } from 'astro'
+
+/**
+ * Registers this Setzkasten instance with the central updater backend.
+ * Called on every Dashboard load. Returns update status and license tier.
+ *
+ * POST /api/setzkasten/updater/register
+ *
+ * Body (optional — for UI activation flow):
+ *   { licenseEmail: string, licenseKey: string }
+ */
+export const POST: APIRoute = async ({ cookies, request }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
+  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as {
+    updaterUrl?: string
+    version?: string
+    websiteUrl?: string
+    storage?: { owner?: string; repo?: string }
+  } | undefined
+
+  const currentVersion = config?.version ?? '0.0.0'
+  const updaterUrl = config?.updaterUrl
+  if (!updaterUrl) {
+    return Response.json({
+      instanceId: null,
+      updateAvailable: false,
+      currentVersion,
+      latestVersion: null,
+      releaseNotesUrl: '',
+      licenseTier: 'free',
+      licenseValid: false,
+    })
+  }
+
+  const owner = config?.storage?.owner ?? ''
+  const repo = config?.storage?.repo ?? ''
+  const repoUrl = owner && repo ? `${owner}/${repo}` : ''
+  const websiteUrl = config?.websiteUrl ?? ''
+
+  let licenseEmail: string | undefined
+  let licenseKey: string | undefined
+  try {
+    if (request.headers.get('content-type')?.includes('application/json')) {
+      const parsed = await request.json() as { licenseEmail?: string; licenseKey?: string }
+      licenseEmail = parsed.licenseEmail?.trim() || undefined
+      licenseKey = parsed.licenseKey?.trim() || undefined
+    }
+  } catch {
+    // Empty / malformed body — treat as no UI input
+  }
+
+  try {
+    const response = await fetch(`${updaterUrl}/api/register`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        repoUrl,
+        websiteUrl,
+        currentVersion,
+        licenseEmail,
+        licenseKey,
+        telemetryEnabled: true,
+        managedWebsites: [],
+      }),
+      signal: AbortSignal.timeout(5000),
+    })
+
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`)
+    }
+
+    const data = await response.json() as { firebaseConfig?: { apiKey: string; authDomain: string; projectId: string }; [key: string]: unknown }
+
+    return Response.json({ ...data, currentVersion, _firebaseConfig: data.firebaseConfig ?? null })
+  } catch {
+    return Response.json({
+      instanceId: null,
+      updateAvailable: false,
+      currentVersion,
+      latestVersion: null,
+      releaseNotesUrl: '',
+      licenseTier: 'free',
+      licenseValid: false,
+    })
+  }
+}

package/src/api-routes/updater-transfer.ts

@@ -0,0 +1,51 @@
+import type { APIRoute } from 'astro'
+import { createHash } from 'node:crypto'
+
+/**
+ * Transfer a license to the current Setzkasten instance.
+ * The backend identifies the license by instanceId (computed from repoUrl + websiteUrl).
+ *
+ * POST /api/setzkasten/updater/transfer
+ */
+export const POST: APIRoute = async ({ cookies }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
+  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as {
+    updaterUrl?: string
+    websiteUrl?: string
+    storage?: { owner?: string; repo?: string }
+  } | undefined
+
+  const updaterUrl = config?.updaterUrl
+  if (!updaterUrl) {
+    return Response.json({ error: 'Updater not configured' }, { status: 400 })
+  }
+
+  const owner = config?.storage?.owner ?? ''
+  const repo = config?.storage?.repo ?? ''
+  const repoUrl = owner && repo ? `${owner}/${repo}` : ''
+  const websiteUrl = config?.websiteUrl ?? ''
+
+  const raw = (repoUrl || 'unknown') + '|' + (websiteUrl || 'unknown')
+  const instanceId = createHash('sha256').update(raw).digest('hex').slice(0, 32)
+
+  try {
+    const response = await fetch(`${updaterUrl}/api/transfer`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        toInstanceId: instanceId,
+        toWebsiteUrl: websiteUrl,
+      }),
+      signal: AbortSignal.timeout(5000),
+    })
+
+    const data = await response.json()
+    return Response.json(data, { status: response.status })
+  } catch {
+    return Response.json({ error: 'Transfer failed' }, { status: 500 })
+  }
+}

package/src/api-routes/updater-unbind.ts

@@ -0,0 +1,59 @@
+import type { APIRoute } from 'astro'
+import { createHash } from 'node:crypto'
+
+/**
+ * Release the license binding for this Setzkasten instance.
+ *
+ * POST /api/setzkasten/updater/unbind
+ *
+ * Reads license credentials from either:
+ *   1. `setzkasten.config.ts` → license.{email,key}
+ *   2. Request body (UI removal flow): { licenseEmail, licenseKey }
+ *
+ * On success, Firebase clears `instance.licenseKey` and removes this
+ * instance from `license.boundTo` / `license.boundInstances`.
+ */
+export const POST: APIRoute = async ({ cookies, request }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
+  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as {
+    updaterUrl?: string
+    websiteUrl?: string
+    storage?: { owner?: string; repo?: string }
+  } | undefined
+
+  const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__ as {
+    license?: { email?: string; key?: string }
+  } | undefined
+
+  const updaterUrl = config?.updaterUrl
+  if (!updaterUrl) {
+    return Response.json({ error: 'Updater not configured' }, { status: 400 })
+  }
+
+  const owner = config?.storage?.owner ?? ''
+  const repo = config?.storage?.repo ?? ''
+  const repoUrl = owner && repo ? `${owner}/${repo}` : ''
+  const websiteUrl = config?.websiteUrl ?? ''
+
+  // Compute deterministic instanceId (same as backend register)
+  const raw = (repoUrl || 'unknown') + '|' + (websiteUrl || 'unknown')
+  const instanceId = createHash('sha256').update(raw).digest('hex').slice(0, 32)
+
+  try {
+    const response = await fetch(`${updaterUrl}/api/unbind`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ instanceId }),
+      signal: AbortSignal.timeout(5000),
+    })
+
+    const data = await response.json()
+    return Response.json(data, { status: response.status })
+  } catch {
+    return Response.json({ error: 'Unbind failed' }, { status: 500 })
+  }
+}

package/src/api-routes/websites-add.ts

@@ -0,0 +1,113 @@
+import {
+  type WebsiteEntry,
+  addWebsiteToRegistry,
+  canAddWebsite,
+  parseWebsitesRegistry,
+} from '@setzkasten-cms/core'
+import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
+import { resolveConfigRepoToken } from './_github-token'
+import { resolveLicenseTier } from './_license-tier'
+import {
+  readWebsitesRegistryFromGitHub,
+  resolveConfigRepoTargetFromGlobals,
+  writeWebsitesRegistryToGitHub,
+} from './_websites-store'
+
+/**
+ * POST /api/setzkasten/websites/add
+ *
+ * Body: { entry: WebsiteEntry }
+ *
+ * Reads the current websites.json from the config-repo, adds the entry
+ * (validated via parseWebsitesRegistry to share one truth on what makes
+ * a valid WebsiteEntry), and commits the new file back via the GitHub
+ * Contents API.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  let parsed: { entry?: WebsiteEntry } = {}
+  try {
+    parsed = (await request.json()) as { entry?: WebsiteEntry }
+  } catch {
+    return new Response(JSON.stringify({ error: 'Invalid JSON body' }), { status: 400 })
+  }
+  if (!parsed.entry || typeof parsed.entry !== 'object') {
+    return new Response(JSON.stringify({ error: 'Missing "entry" in body' }), { status: 400 })
+  }
+
+  // The form leaves githubApp.appId blank when the user wants to fall back
+  // to GITHUB_APP_ID from the env. Inject it before validation so the
+  // registry sees a complete entry. The App-ID itself is not sensitive
+  // (it's public on every App's settings page on github.com), so writing
+  // it into websites.json is fine — but doing it server-side keeps the
+  // client form simpler.
+  const entry = parsed.entry as unknown as {
+    githubApp?: { appId?: string; installationId?: string }
+  }
+  if (entry.githubApp && !entry.githubApp.appId) {
+    const envAppId = process.env.GITHUB_APP_ID
+    if (envAppId) entry.githubApp.appId = envAppId
+  }
+
+  // Reuse parseWebsitesRegistry's per-entry validation by stuffing the new
+  // entry into a one-element registry — same rules everywhere.
+  const validation = parseWebsitesRegistry(JSON.stringify({ websites: [parsed.entry] }))
+  if (!validation.ok) {
+    return new Response(JSON.stringify({ error: validation.error.message }), { status: 400 })
+  }
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(JSON.stringify({ error: tokenResult.error.message }), { status: 500 })
+  }
+
+  const target = resolveConfigRepoTargetFromGlobals(tokenResult.value)
+  if (!target) {
+    return new Response(
+      JSON.stringify({
+        error: 'Multi-mode storage not configured (storage.kind must be "multi").',
+      }),
+      { status: 400 },
+    )
+  }
+
+  const current = await readWebsitesRegistryFromGitHub(target)
+  if (!current.ok) {
+    return new Response(JSON.stringify({ error: current.error.message }), { status: 502 })
+  }
+
+  // License gate: enforce the per-tier website limit before mutating GitHub.
+  // 402 Payment Required is the most accurate code here — the registry would
+  // accept the entry, only the license disagrees.
+  const tier = resolveLicenseTier()
+  const allowed = canAddWebsite(tier, current.value.registry.websites.length)
+  if (!allowed.ok) {
+    return new Response(
+      JSON.stringify({ error: allowed.reason, tier: allowed.tier, limit: allowed.limit }),
+      { status: 402, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  const merged = addWebsiteToRegistry(current.value.registry, parsed.entry)
+  if (!merged.ok) {
+    return new Response(JSON.stringify({ error: merged.error.message }), { status: 409 })
+  }
+
+  const written = await writeWebsitesRegistryToGitHub(
+    target,
+    merged.value,
+    current.value.sha,
+    `feat(websites): add "${parsed.entry.id}" to registry`,
+  )
+  if (!written.ok) {
+    return new Response(JSON.stringify({ error: written.error.message }), { status: 502 })
+  }
+
+  return new Response(JSON.stringify({ ok: true, websites: merged.value.websites }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/api-routes/websites-list.ts

@@ -0,0 +1,40 @@
+import type { APIRoute } from 'astro'
+import { listAllWebsites } from './_website-resolver.js'
+
+/**
+ * GET /api/setzkasten/websites
+ *
+ * Returns the list of managed websites visible to the admin SPA.
+ * Strips private fields (`githubApp` installation refs, `allowedEmails`)
+ * — the client only needs ids/names/repos for the switcher.
+ */
+export const GET: APIRoute = async ({ cookies }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response(JSON.stringify({ authenticated: false }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  const result = await listAllWebsites()
+  if (!result.ok) {
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status: 500,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  const websites = result.value.map((entry) => ({
+    id: entry.id,
+    name: entry.name,
+    repo: entry.repo,
+    branch: entry.branch,
+    previewOrigin: entry.previewOrigin,
+  }))
+
+  return new Response(JSON.stringify({ websites }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/api-routes/websites-remove.ts

@@ -0,0 +1,74 @@
+import { removeWebsiteFromRegistry } from '@setzkasten-cms/core'
+import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
+import { resolveConfigRepoToken } from './_github-token'
+import {
+  readWebsitesRegistryFromGitHub,
+  resolveConfigRepoTargetFromGlobals,
+  writeWebsitesRegistryToGitHub,
+} from './_websites-store'
+
+/**
+ * POST /api/setzkasten/websites/remove
+ *
+ * Body: { id: string }
+ *
+ * Drops the matching entry from websites.json and commits the new file.
+ * Admin-only — editors must not be able to detach websites from the
+ * registry. Returns 404 when the id is not present, 502 when GitHub I/O
+ * fails.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  let body: { id?: string } = {}
+  try {
+    body = (await request.json()) as { id?: string }
+  } catch {
+    return new Response(JSON.stringify({ error: 'Invalid JSON body' }), { status: 400 })
+  }
+  if (!body.id || typeof body.id !== 'string') {
+    return new Response(JSON.stringify({ error: 'Missing "id" in body' }), { status: 400 })
+  }
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(JSON.stringify({ error: tokenResult.error.message }), { status: 500 })
+  }
+
+  const target = resolveConfigRepoTargetFromGlobals(tokenResult.value)
+  if (!target) {
+    return new Response(
+      JSON.stringify({
+        error: 'Multi-mode storage not configured (storage.kind must be "multi").',
+      }),
+      { status: 400 },
+    )
+  }
+
+  const current = await readWebsitesRegistryFromGitHub(target)
+  if (!current.ok) {
+    return new Response(JSON.stringify({ error: current.error.message }), { status: 502 })
+  }
+
+  const next = removeWebsiteFromRegistry(current.value.registry, body.id)
+  if (!next.ok) {
+    return new Response(JSON.stringify({ error: next.error.message }), { status: 404 })
+  }
+
+  const written = await writeWebsitesRegistryToGitHub(
+    target,
+    next.value,
+    current.value.sha,
+    `chore(websites): remove "${body.id}" from registry`,
+  )
+  if (!written.ok) {
+    return new Response(JSON.stringify({ error: written.error.message }), { status: 502 })
+  }
+
+  return new Response(JSON.stringify({ ok: true, websites: next.value.websites }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}