@setzkasten-cms/astro-admin 0.6.0 → 1.1.0

package/src/api-routes/__tests__/website-resolver-bootstrap.test.ts

@@ -0,0 +1,108 @@
+/**
+ * @vitest-environment node
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import {
+  __resetWebsiteResolverForTests,
+  bootstrapResolverFromGlobals,
+  resolveCurrentWebsite,
+} from '../_website-resolver'
+
+const SINGLE_FULL_CONFIG = {
+  storage: { kind: 'github-app', repo: 'acme/site', appId: '11', installationId: '99' },
+}
+
+const SINGLE_STORAGE = {
+  owner: 'acme',
+  repo: 'site',
+  branch: 'main',
+  contentPath: 'content',
+  assetsPath: 'public/images',
+  projectPrefix: '',
+}
+
+const STANDALONE_FULL_CONFIG = {
+  storage: {
+    kind: 'standalone',
+    configRepo: 'acme/cms-config',
+    configBranch: 'main',
+    appId: '11',
+    installationId: '777',
+  },
+}
+
+beforeEach(() => {
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+  vi.unstubAllEnvs()
+})
+
+afterEach(() => {
+  __resetWebsiteResolverForTests(null)
+  vi.unstubAllEnvs()
+})
+
+describe('bootstrapResolverFromGlobals – single-repo mode', () => {
+  it('synthesizes a WebsiteEntry from build-time storage + full-config + ENV', async () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = SINGLE_FULL_CONFIG
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = SINGLE_STORAGE
+    vi.stubEnv('GITHUB_APP_ID', '11')
+    vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '99')
+    vi.stubEnv('PUBLIC_SITE_URL', 'https://acme-site.example.com')
+
+    bootstrapResolverFromGlobals()
+    const req = new Request('https://cms.example.com/anything')
+    const result = await resolveCurrentWebsite(req)
+
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.value.repo).toBe('acme/site')
+      expect(result.value.branch).toBe('main')
+      expect(result.value.githubApp.installationId).toBe('99')
+    }
+  })
+
+  it('falls back to localhost previewOrigin when PUBLIC_SITE_URL is not set', async () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = SINGLE_FULL_CONFIG
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = SINGLE_STORAGE
+    vi.stubEnv('GITHUB_APP_ID', '11')
+    vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '99')
+
+    bootstrapResolverFromGlobals()
+    const result = await resolveCurrentWebsite(new Request('https://cms.example.com/anything'))
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value.previewOrigin).toMatch(/localhost/)
+  })
+})
+
+describe('bootstrapResolverFromGlobals – standalone mode', () => {
+  it('does not crash when storage.kind === "standalone"', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = STANDALONE_FULL_CONFIG
+
+    expect(() => bootstrapResolverFromGlobals()).not.toThrow()
+  })
+})
+
+describe('bootstrapResolverFromGlobals – idempotent', () => {
+  it('does not overwrite existing state on a second call', async () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = SINGLE_FULL_CONFIG
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = SINGLE_STORAGE
+    vi.stubEnv('GITHUB_APP_ID', '11')
+    vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '99')
+
+    bootstrapResolverFromGlobals()
+    const first = await resolveCurrentWebsite(new Request('https://x'))
+
+    // change globals + bootstrap again — must be a no-op
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+      ...SINGLE_STORAGE,
+      repo: 'changed',
+    }
+    bootstrapResolverFromGlobals()
+
+    const second = await resolveCurrentWebsite(new Request('https://x'))
+    if (first.ok && second.ok) expect(second.value.repo).toBe(first.value.repo)
+  })
+})

package/src/api-routes/__tests__/website-resolver.test.ts

@@ -0,0 +1,123 @@
+/**
+ * @vitest-environment node
+ */
+
+import { type Result, type WebsiteEntry, ok } from '@setzkasten-cms/core'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { __resetWebsiteResolverForTests, resolveCurrentWebsite } from '../_website-resolver'
+
+const ENTRY_A: WebsiteEntry = {
+  id: 'site-a',
+  name: 'Site A',
+  repo: 'acme/site-a',
+  branch: 'main',
+  previewOrigin: 'https://a.example.com',
+  githubApp: { appId: '1', installationId: '101' },
+}
+
+const ENTRY_B: WebsiteEntry = {
+  id: 'site-b',
+  name: 'Site B',
+  repo: 'acme/site-b',
+  branch: 'develop',
+  previewOrigin: 'https://b.example.com',
+  githubApp: { appId: '1', installationId: '202' },
+}
+
+interface MockRegistry {
+  list: ReturnType<typeof vi.fn>
+  get: ReturnType<typeof vi.fn>
+}
+
+function makeRegistry(entries: readonly WebsiteEntry[]): MockRegistry {
+  return {
+    list: vi.fn(async (): Promise<Result<readonly WebsiteEntry[]>> => ok(entries)),
+    get: vi.fn(async (id: string): Promise<Result<WebsiteEntry | null>> => {
+      return ok(entries.find((e) => e.id === id) ?? null)
+    }),
+  }
+}
+
+function reqWithHeader(value: string | null) {
+  const headers: Record<string, string> = {}
+  if (value !== null) headers['x-sk-website'] = value
+  return new Request('https://cms.example.com/api/anything', { headers })
+}
+
+describe('resolveCurrentWebsite – standalone mode', () => {
+  beforeEach(() => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A, ENTRY_B]),
+    })
+  })
+
+  afterEach(() => __resetWebsiteResolverForTests(null))
+
+  it('returns the entry matching X-SK-Website', async () => {
+    const result = await resolveCurrentWebsite(reqWithHeader('site-b'))
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value.id).toBe('site-b')
+  })
+
+  it('returns 400-style validation error when header is missing and registry has multiple entries', async () => {
+    const result = await resolveCurrentWebsite(reqWithHeader(null))
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) {
+      expect(result.error.type).toBe('validation')
+      expect(result.error.message).toMatch(/X-SK-Website/i)
+    }
+  })
+
+  it('auto-selects the only entry when the registry has exactly one website', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A]),
+    })
+
+    const result = await resolveCurrentWebsite(reqWithHeader(null))
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value.id).toBe('site-a')
+  })
+
+  it('returns not-found error for unknown website id', async () => {
+    const result = await resolveCurrentWebsite(reqWithHeader('does-not-exist'))
+
+    expect(result.ok).toBe(false)
+    if (!result.ok) expect(result.error.type).toBe('not-found')
+  })
+
+  it('rejects empty header values', async () => {
+    const result = await resolveCurrentWebsite(reqWithHeader(''))
+
+    expect(result.ok).toBe(false)
+  })
+})
+
+describe('resolveCurrentWebsite – single-repo mode (backward compat)', () => {
+  beforeEach(() => {
+    __resetWebsiteResolverForTests({
+      mode: 'single',
+      synthesized: ENTRY_A,
+    })
+  })
+
+  afterEach(() => __resetWebsiteResolverForTests(null))
+
+  it('always returns the synthesized entry — header is ignored', async () => {
+    const result = await resolveCurrentWebsite(reqWithHeader('whatever'))
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value.id).toBe(ENTRY_A.id)
+  })
+
+  it('still works when no header is sent', async () => {
+    const result = await resolveCurrentWebsite(reqWithHeader(null))
+
+    expect(result.ok).toBe(true)
+    if (result.ok) expect(result.value.repo).toBe(ENTRY_A.repo)
+  })
+})

package/src/api-routes/__tests__/websites-add.test.ts

@@ -0,0 +1,305 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import type { WebsiteEntry } from '@setzkasten-cms/core'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+const VALID_ENTRY: WebsiteEntry = {
+  id: 'new-site',
+  name: 'New Site',
+  repo: 'acme/new-site',
+  branch: 'main',
+  previewOrigin: 'https://new.example.com',
+  githubApp: { appId: '1', installationId: '999' },
+}
+
+const EXISTING_REGISTRY = {
+  websites: [
+    {
+      id: 'existing',
+      name: 'Existing',
+      repo: 'acme/existing',
+      branch: 'main',
+      previewOrigin: 'https://existing.example.com',
+      githubApp: { appId: '1', installationId: '111' },
+    },
+  ],
+}
+
+// Admin sessions only — websites-add is admin-gated. Tests that exercise
+// the unauthorized branch pass `null` to drop the cookie entirely.
+const ADMIN_SESSION = JSON.stringify({
+  user: {
+    id: 'u1',
+    email: 'admin@example.com',
+    role: 'admin',
+    provider: 'github',
+  },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+function makeCtx(body: unknown, sessionValue: string | null = ADMIN_SESSION) {
+  const request = new Request('https://cms.example.com/api/setzkasten/websites/add', {
+    method: 'POST',
+    body: JSON.stringify(body),
+    headers: { 'content-type': 'application/json' },
+  })
+  return {
+    request,
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionValue ? { value: sessionValue } : undefined,
+      ),
+    },
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_ID', '1')
+  vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '111')
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+  // Default: pro license — enough for the existing happy-path assertions.
+  vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAAAAAA-BBBBBBBB-CCCCCCCC')
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+    storage: {
+      kind: 'standalone',
+      configRepo: 'acme/cms-config',
+      configBranch: 'main',
+      appId: '1',
+      installationId: '111',
+    },
+  }
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+})
+
+describe('POST /api/setzkasten/websites/add', () => {
+  it('returns 401 without a session', async () => {
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ entry: VALID_ENTRY }, null),
+    )
+
+    expect(res.status).toBe(401)
+  })
+
+  it('returns 400 when the body is missing entry', async () => {
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({}))
+
+    expect(res.status).toBe(400)
+  })
+
+  it('returns 400 when entry is malformed (slug check)', async () => {
+    const { POST } = await import('../websites-add')
+    const broken = { ...VALID_ENTRY, id: 'has spaces' }
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ entry: broken }))
+
+    expect(res.status).toBe(400)
+  })
+
+  it('returns 409 when the id already exists in the registry', async () => {
+    const fetchMock = vi.fn(async (url: string) => {
+      if (url.includes('/contents/websites.json')) {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({
+            content: Buffer.from(JSON.stringify(EXISTING_REGISTRY)).toString('base64'),
+            sha: 'abc',
+          }),
+        } as Response
+      }
+      if (url.includes('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      throw new Error(`unexpected URL: ${url}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const dup = { ...VALID_ENTRY, id: 'existing' }
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ entry: dup }))
+
+    expect(res.status).toBe(409)
+  })
+
+  it('writes an updated registry to GitHub on success', async () => {
+    const calls: Array<{ url: string; method?: string; body?: unknown }> = []
+    const fetchMock = vi.fn(async (url: string, init?: RequestInit) => {
+      calls.push({ url, method: init?.method, body: init?.body })
+      if (url.includes('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      if (url.includes('/contents/websites.json') && (init?.method ?? 'GET') === 'GET') {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({
+            content: Buffer.from(JSON.stringify(EXISTING_REGISTRY)).toString('base64'),
+            sha: 'abc',
+          }),
+        } as Response
+      }
+      if (url.includes('/contents/websites.json') && init?.method === 'PUT') {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({ content: { sha: 'new-sha' } }),
+        } as Response
+      }
+      throw new Error(`unexpected URL: ${url} method=${init?.method}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ entry: VALID_ENTRY }))
+
+    expect(res.status).toBe(200)
+
+    const putCall = calls.find((c) => c.method === 'PUT')
+    expect(putCall).toBeDefined()
+    const writtenBody = JSON.parse(String(putCall!.body)) as {
+      content: string
+      sha?: string
+      branch: string
+    }
+    expect(writtenBody.sha).toBe('abc')
+    const decoded = JSON.parse(Buffer.from(writtenBody.content, 'base64').toString('utf-8'))
+    expect(decoded.websites.map((w: WebsiteEntry) => w.id)).toEqual(['existing', 'new-site'])
+  })
+})
+
+// ---------------------------------------------------------------------------
+// License gating
+// ---------------------------------------------------------------------------
+
+function mockGithubFetchWithRegistry(websites: unknown[]) {
+  const fetchMock = vi.fn(async (url: string, init?: RequestInit) => {
+    if (url.includes('/access_tokens')) {
+      return {
+        ok: true,
+        json: async () => ({
+          token: 'gh_mock',
+          expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+        }),
+      } as Response
+    }
+    if (url.includes('/contents/websites.json') && (init?.method ?? 'GET') === 'GET') {
+      return {
+        ok: true,
+        json: async () => ({
+          content: Buffer.from(JSON.stringify({ websites })).toString('base64'),
+          sha: 'abc',
+        }),
+      } as Response
+    }
+    if (url.includes('/contents/websites.json') && init?.method === 'PUT') {
+      return { ok: true, json: async () => ({ content: { sha: 'new' } }) } as Response
+    }
+    throw new Error(`unexpected URL: ${url} method=${init?.method}`)
+  })
+  vi.stubGlobal('fetch', fetchMock)
+}
+
+function makeEntry(id: string): WebsiteEntry {
+  return {
+    id,
+    name: id,
+    repo: `acme/${id}`,
+    branch: 'main',
+    previewOrigin: `https://${id}.example.com`,
+    githubApp: { appId: '1', installationId: id.replace(/\D/g, '') || '111' },
+  }
+}
+
+describe('POST /api/setzkasten/websites/add — license gating', () => {
+  it('returns 402 with a clear message when free license is used', async () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', '')
+    mockGithubFetchWithRegistry([])
+
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ entry: VALID_ENTRY }))
+    const body = (await res.json()) as { error?: string }
+
+    expect(res.status).toBe(402)
+    expect(body.error).toMatch(/Pro.*Enterprise/i)
+  })
+
+  it('returns 402 when pro tier is at the 5-website limit', async () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAA-BBBB-CCCC')
+    mockGithubFetchWithRegistry([
+      makeEntry('site-1'),
+      makeEntry('site-2'),
+      makeEntry('site-3'),
+      makeEntry('site-4'),
+      makeEntry('site-5'),
+    ])
+
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ entry: VALID_ENTRY }))
+    const body = (await res.json()) as { error?: string }
+
+    expect(res.status).toBe(402)
+    expect(body.error).toMatch(/Pro.*5/i)
+  })
+
+  it('accepts the 5th website on pro tier', async () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAA-BBBB-CCCC')
+    mockGithubFetchWithRegistry([
+      makeEntry('site-1'),
+      makeEntry('site-2'),
+      makeEntry('site-3'),
+      makeEntry('site-4'),
+    ])
+
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ entry: VALID_ENTRY }))
+
+    expect(res.status).toBe(200)
+  })
+
+  it('accepts up to 20 websites on enterprise tier', async () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-ENT-AAAA-BBBB-CCCC')
+    mockGithubFetchWithRegistry(Array.from({ length: 19 }, (_, i) => makeEntry(`site-${i + 1}`)))
+
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ entry: VALID_ENTRY }))
+
+    expect(res.status).toBe(200)
+  })
+
+  it('returns 402 when enterprise tier is at the 20-website limit', async () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-ENT-AAAA-BBBB-CCCC')
+    mockGithubFetchWithRegistry(Array.from({ length: 20 }, (_, i) => makeEntry(`site-${i + 1}`)))
+
+    const { POST } = await import('../websites-add')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ entry: VALID_ENTRY }))
+    const body = (await res.json()) as { error?: string }
+
+    expect(res.status).toBe(402)
+    expect(body.error).toMatch(/Enterprise.*20/i)
+  })
+})

package/src/api-routes/__tests__/websites-list.test.ts

@@ -0,0 +1,112 @@
+/**
+ * @vitest-environment node
+ */
+
+import { type Result, type WebsiteEntry, ok } from '@setzkasten-cms/core'
+import { afterEach, describe, expect, it, vi } from 'vitest'
+import { __resetWebsiteResolverForTests } from '../_website-resolver'
+
+const ENTRY_A: WebsiteEntry = {
+  id: 'site-a',
+  name: 'Site A',
+  repo: 'acme/site-a',
+  branch: 'main',
+  previewOrigin: 'https://a.example.com',
+  githubApp: { appId: '1', installationId: '101' },
+}
+
+const ENTRY_B: WebsiteEntry = {
+  id: 'site-b',
+  name: 'Site B',
+  repo: 'acme/site-b',
+  branch: 'develop',
+  previewOrigin: 'https://b.example.com',
+  githubApp: { appId: '1', installationId: '202' },
+  allowedEmails: ['secret@example.com'],
+}
+
+function makeRegistry(entries: readonly WebsiteEntry[]) {
+  return {
+    list: vi.fn(async (): Promise<Result<readonly WebsiteEntry[]>> => ok(entries)),
+    get: vi.fn(async (id: string): Promise<Result<WebsiteEntry | null>> => {
+      return ok(entries.find((e) => e.id === id) ?? null)
+    }),
+  }
+}
+
+function makeCtx(sessionValue?: string) {
+  return {
+    request: new Request('https://cms.example.com/api/setzkasten/websites'),
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionValue ? { value: sessionValue } : undefined,
+      ),
+    },
+  }
+}
+
+import { GET } from '../websites-list'
+
+describe('GET /api/setzkasten/websites', () => {
+  afterEach(() => __resetWebsiteResolverForTests(null))
+
+  it('returns 401 when no session cookie is present', async () => {
+    __resetWebsiteResolverForTests({ mode: 'multi', registry: makeRegistry([ENTRY_A]) })
+
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(makeCtx())
+
+    expect(res.status).toBe(401)
+  })
+
+  it('returns the list of websites when authenticated', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A, ENTRY_B]),
+    })
+
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(makeCtx('valid'))
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.websites).toHaveLength(2)
+    expect(body.websites[0].id).toBe('site-a')
+    expect(body.websites[1].id).toBe('site-b')
+  })
+
+  it('does not expose githubApp installation ids in the response', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_B]),
+    })
+
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(makeCtx('valid'))
+    const body = await res.json()
+
+    expect(body.websites[0]).not.toHaveProperty('githubApp')
+    expect(JSON.stringify(body)).not.toContain('202')
+  })
+
+  it('does not expose allowedEmails in the response', async () => {
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_B]),
+    })
+
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(makeCtx('valid'))
+    const body = await res.json()
+
+    expect(body.websites[0]).not.toHaveProperty('allowedEmails')
+    expect(JSON.stringify(body)).not.toContain('secret@example.com')
+  })
+
+  it('returns the synthesized entry in single-repo mode', async () => {
+    __resetWebsiteResolverForTests({ mode: 'single', synthesized: ENTRY_A })
+
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(makeCtx('valid'))
+    const body = await res.json()
+
+    expect(res.status).toBe(200)
+    expect(body.websites).toHaveLength(1)
+    expect(body.websites[0].id).toBe(ENTRY_A.id)
+  })
+})