@setzkasten-cms/astro-admin 0.6.0 → 1.1.0

package/src/api-routes/global-config.ts

@@ -0,0 +1,149 @@
+import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
+import { resolveStorageConfig } from './_storage-config'
+import { resolveConfigRepoToken } from './_github-token'
+import { cachedFetch, invalidateCache } from './_github-cache'
+import { withTrailers } from './_commit-trailers'
+
+const GLOBAL_CONFIG_FILE = (contentPath: string) => `${contentPath}/_global_config.json`
+
+export interface GlobalConfig {
+  firebaseConfig?: {
+    apiKey: string
+    authDomain: string
+    projectId: string
+  }
+  theme?: {
+    primaryColor?: string
+    brandName?: string
+    logo?: string
+  }
+}
+
+// ---------------------------------------------------------------------------
+// GET /api/setzkasten/global-config — any authenticated user
+// ---------------------------------------------------------------------------
+
+export const GET: APIRoute = async ({ cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+
+  const cfg = await readGlobalConfig()
+  return Response.json(cfg ?? {})
+}
+
+// ---------------------------------------------------------------------------
+// PUT /api/setzkasten/global-config — admin only
+// ---------------------------------------------------------------------------
+
+export const PUT: APIRoute = async ({ request, cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+  if (session.user.role !== 'admin') return new Response('Forbidden', { status: 403 })
+
+  let patch: Partial<GlobalConfig>
+  try {
+    patch = (await request.json()) as Partial<GlobalConfig>
+  } catch {
+    return Response.json({ error: 'Invalid request body' }, { status: 400 })
+  }
+
+  const current = (await readGlobalConfig()) ?? {}
+  const next: GlobalConfig = { ...current }
+  for (const [k, v] of Object.entries(patch)) {
+    if (v === null) delete (next as Record<string, unknown>)[k]
+    else (next as Record<string, unknown>)[k] = v
+  }
+  await writeGlobalConfig(next)
+  return Response.json({ ok: true })
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+//
+// Global config is a Setzkasten-instance-level file that lives in the
+// config-repo regardless of which website the request is targeting:
+// - Single-Mode: config-repo == website-repo, so this is fine
+// - Multi-Mode: config-repo holds editors + global config + websites.json
+// We deliberately ignore the request and X-SK-Website here; otherwise
+// global config would ping-pong between per-website locations as users
+// switch active sites.
+// ---------------------------------------------------------------------------
+
+async function getStorageParams() {
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
+  const storage = resolveStorageConfig()
+  if (!storage) return null
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return null
+  return {
+    owner: storage.owner,
+    repo: storage.repo,
+    branch: storage.branch,
+    contentPath: serverConfig?.storage?.contentPath ?? 'content',
+    token: tokenResult.value,
+  }
+}
+
+export async function readGlobalConfig(): Promise<GlobalConfig | null> {
+  const params = await getStorageParams()
+  if (!params) return null
+  const { owner, repo, branch, contentPath, token } = params
+  const key = `global-config:${owner}/${repo}:${branch}`
+  return cachedFetch(key, 5 * 60_000, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${GLOBAL_CONFIG_FILE(contentPath)}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+    )
+    if (!res.ok) return null
+    const data = await res.json() as { content: string; encoding: string }
+    const raw = data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+    return JSON.parse(raw) as GlobalConfig
+  })
+}
+
+export async function writeGlobalConfig(config: GlobalConfig): Promise<void> {
+  const params = await getStorageParams()
+  if (!params) throw new Error('Storage not configured')
+  const { owner, repo, branch, contentPath, token } = params
+  invalidateCache(`global-config:${owner}/${repo}:${branch}`)
+  const filePath = GLOBAL_CONFIG_FILE(contentPath)
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'Content-Type': 'application/json',
+  }
+
+  // Get current SHA if file exists
+  let sha: string | undefined
+  try {
+    const existing = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}?ref=${branch}`,
+      { headers },
+    )
+    if (existing.ok) {
+      const data = await existing.json() as { sha: string }
+      sha = data.sha
+    }
+  } catch { /* file doesn't exist yet */ }
+
+  const body: Record<string, unknown> = {
+    message: withTrailers('chore(config): update global config'),
+    content: Buffer.from(JSON.stringify(config, null, 2)).toString('base64'),
+    branch,
+  }
+  if (sha) body.sha = sha
+
+  const res = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
+    { method: 'PUT', headers, body: JSON.stringify(body) },
+  )
+  if (!res.ok) {
+    const text = await res.text()
+    throw new Error(`GitHub write failed: ${text}`)
+  }
+}

package/src/api-routes/init-add-section.ts

@@ -1,9 +1,11 @@
 import type { APIRoute } from 'astro'
 import type { InferredSection } from '@setzkasten-cms/core/init'
 import { addSectionToConfig } from '@setzkasten-cms/core/init'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { patchTemplateForFields, stripTemplateFallbacks } from '../init/template-patcher-v2'
 import type { RepeatedGroup } from '../init/analyzer-types'
+import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/init/add-section
@@ -20,10 +22,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -37,7 +40,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
       return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
     }
@@ -84,7 +87,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     // Only add values for fields that don't already exist
     for (const field of section.fields) {
       if (!(field.key in sectionData)) {
-        sectionData[field.key] = field.defaultValue ?? getDefaultValue(field.type)
+        let value = field.defaultValue ?? getDefaultValue(field.type)
+        if (Array.isArray(value)) value = value.filter((item: unknown) => item != null)
+        sectionData[field.key] = value
       }
     }
 
@@ -208,7 +213,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         for (const g of repeatedGroups) {
           const topField = fields.find(f => f.key === g.fieldKey)
           if (!topField || !Array.isArray(topField.defaultValue)) continue
-          sectionData[g.fieldKey] = topField.defaultValue
+          sectionData[g.fieldKey] = (topField.defaultValue as unknown[]).filter(item => item != null)
           const jsonIdx = filesToCommit.findIndex(f => f.path === sectionJsonPath)
           if (jsonIdx !== -1) {
             filesToCommit[jsonIdx]!.content = JSON.stringify(sectionData, null, 2)
@@ -232,7 +237,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         for (const g of repeatedGroups) {
           const topField = fields.find(f => f.key === g.fieldKey)
           if (!topField || !Array.isArray(topField.defaultValue)) continue
-          const items = topField.defaultValue as Array<Record<string, unknown>>
+          const items = (topField.defaultValue as Array<Record<string, unknown>>).filter(item => item != null)
 
           // Update sectionData with the enriched items array
           sectionData[g.fieldKey] = items
@@ -279,9 +284,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       repo,
       branch,
       filesToCommit,
-      existingSectionJson
+      withTrailers(existingSectionJson
         ? `content: update ${section.key} section — add new fields`
-        : `content: add ${section.key} section to Setzkasten`,
+        : `content: add ${section.key} section to Setzkasten`),
       headers,
     )
 
@@ -289,6 +294,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: commitResult.error }, { status: 500 })
     }
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({
       success: true,
       commitSha: commitResult.sha,

package/src/api-routes/init-apply.ts

@@ -2,6 +2,8 @@ import type { APIRoute } from 'astro'
 import { generateConfigFile, type InferredSection, type ConfigGeneratorInput } from '@setzkasten-cms/core/init'
 import { patchAstroConfig } from '../init/astro-config-patcher'
 import { patchTemplateForFields } from '../init/template-patcher-v2'
+import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 interface ApplyRequest {
   owner: string
@@ -35,10 +37,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as ApplyRequest
@@ -115,7 +118,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       repo,
       branch,
       filesToCommit,
-      'feat: initialize Setzkasten CMS',
+      withTrailers('feat: initialize Setzkasten CMS'),
       githubToken,
     )
 

package/src/api-routes/init-migrate.ts

@@ -1,7 +1,9 @@
 import type { APIRoute } from 'astro'
 import type { SetzKastenConfig } from '@setzkasten-cms/core'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { patchTemplateForFields } from '../init/template-patcher-v2'
+import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/init/migrate
@@ -20,10 +22,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -34,7 +37,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       componentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
       return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
     }
@@ -108,7 +111,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       repo,
       branch,
       [{ path: componentPath, content: patched }],
-      `chore: add live-preview bindings to ${sectionKey} section`,
+      withTrailers(`chore: add live-preview bindings to ${sectionKey} section`),
       headers,
     )
 

package/src/api-routes/init-scan-page.ts

@@ -1,9 +1,28 @@
 import type { APIRoute } from 'astro'
 import type { SetzKastenConfig } from '@setzkasten-cms/core'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { extractSectionImports, extractLayoutImport } from '../init/astro-detector'
 import { analyzeAstroSection } from '../init/astro-section-analyzer-v2'
 import type { RepoFile } from '@setzkasten-cms/core/init'
+import { resolveGitHubTokenForRequest } from './_github-token'
+
+// Build-time constant injected by the Vite define plugin — always available in
+// compiled API routes (unlike page-ssr injectScript which only runs for SSR pages).
+declare const __SETZKASTEN_FULL_CONFIG__: SetzKastenConfig | null | undefined
+
+/**
+ * Resolves the full Setzkasten config.
+ * Reads the Vite build-time constant first; falls back to globalThis for
+ * local dev / test environments where the define is not applied.
+ *
+ * Without the build-time fallback, cold-start Vercel function invocations of
+ * this API route see managedSections={} and offer every adopted section
+ * (including _layout_header / _layout_footer) for re-adoption.
+ */
+export function resolveFullConfig(): SetzKastenConfig | undefined {
+  const buildConfig = typeof __SETZKASTEN_FULL_CONFIG__ !== 'undefined' ? __SETZKASTEN_FULL_CONFIG__ : null
+  return (buildConfig ?? (globalThis as any).__SETZKASTEN_FULL_CONFIG__) as SetzKastenConfig | undefined
+}
 
 /**
  * POST /api/setzkasten/init/scan-page
@@ -21,10 +40,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -35,7 +55,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       projectRoot?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
       return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
     }
@@ -47,7 +67,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     }
 
     // Get current schema to know which sections are already managed + their fields
-    const config = (globalThis as any).__SETZKASTEN_FULL_CONFIG__ as SetzKastenConfig | undefined
+    const config = resolveFullConfig()
     const managedSections = new Map<string, Set<string>>() // key → field keys
     if (config) {
       for (const product of Object.values(config.products)) {

package/src/api-routes/init-scan.ts

@@ -2,6 +2,7 @@ import type { APIRoute } from 'astro'
 import { analyzeProject, type RepoFile } from '@setzkasten-cms/core/init'
 import { findAstroPages, extractSectionImports } from '../init/astro-detector'
 import { analyzeAstroSection } from '../init/astro-section-analyzer-v2'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/init/scan
@@ -16,10 +17,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as { owner: string; repo: string; branch?: string }

package/src/api-routes/migrate-to-multi.ts

@@ -0,0 +1,255 @@
+import { type WebsiteEntry, canAddWebsite, isMultiModeAvailable } from '@setzkasten-cms/core'
+import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
+import { resolveConfigRepoToken } from './_github-token'
+import { resolveLicenseTier } from './_license-tier'
+import { resolveStorageConfig } from './_storage-config'
+
+/**
+ * POST /api/setzkasten/migrate/to-multi
+ *
+ * Body: { configRepo: 'owner/repo', configInstallationId: string,
+ *         previewOrigin?: string }
+ *
+ * Admin-only. Expects the deployer to have already (1) created the
+ * config repo and (2) installed the GitHub App on it. The endpoint then:
+ *
+ * 1. Reads `_editors.json` and `_global_config.json` from the current
+ *    single-mode website repo.
+ * 2. Writes both files into `<config-repo>/content/`.
+ * 3. Initialises `<config-repo>/websites.json` with a single entry that
+ *    snapshots the current single-mode setup (repo, branch, preview
+ *    origin, App-Installation-ID).
+ *
+ * After a 200 response the deployer still has to update
+ * `setzkasten.config.ts` (kind: 'single' → 'multi') and the ENV
+ * variables and redeploy. The wizard surfaces a copy-ready diff for
+ * those manual steps.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response(JSON.stringify({ error: 'Unauthorized' }), { status: 401 })
+  if (session.user.role !== 'admin')
+    return new Response(JSON.stringify({ error: 'Forbidden' }), { status: 403 })
+
+  const tier = resolveLicenseTier()
+  if (!isMultiModeAvailable(tier)) {
+    return new Response(
+      JSON.stringify({
+        error: 'Multi-Mode ist nur mit Pro- oder Enterprise-Lizenz verfügbar.',
+        tier,
+      }),
+      { status: 402, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  let body: { configRepo?: string; configInstallationId?: string; previewOrigin?: string } = {}
+  try {
+    body = (await request.json()) as typeof body
+  } catch {
+    return new Response(JSON.stringify({ error: 'Invalid JSON body' }), { status: 400 })
+  }
+
+  if (!body.configRepo || typeof body.configRepo !== 'string' || !body.configRepo.includes('/')) {
+    return new Response(JSON.stringify({ error: 'configRepo (owner/repo) ist erforderlich' }), {
+      status: 400,
+    })
+  }
+  if (!body.configInstallationId || typeof body.configInstallationId !== 'string') {
+    return new Response(JSON.stringify({ error: 'configInstallationId ist erforderlich' }), {
+      status: 400,
+    })
+  }
+
+  const fullConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as
+    | { storage?: { kind?: string } }
+    | undefined
+  if (
+    fullConfig?.storage?.kind &&
+    fullConfig.storage.kind !== 'single' &&
+    fullConfig.storage.kind !== 'github-app'
+  ) {
+    return new Response(
+      JSON.stringify({
+        error: `Migration nur aus dem Single-Mode möglich. Aktueller storage.kind: ${fullConfig.storage.kind ?? 'unbekannt'}`,
+      }),
+      { status: 400 },
+    )
+  }
+
+  // We need the source-tier slot just in case the config repo already has
+  // entries — defensively preflight the limit so we never half-migrate.
+  const allowed = canAddWebsite(tier, 0)
+  if (!allowed.ok) {
+    return new Response(JSON.stringify({ error: allowed.reason }), { status: 402 })
+  }
+
+  const sourceStorage = resolveStorageConfig()
+  if (!sourceStorage) {
+    return new Response(
+      JSON.stringify({ error: 'Single-Mode Storage konnte nicht aufgelöst werden' }),
+      { status: 500 },
+    )
+  }
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(JSON.stringify({ error: tokenResult.error.message }), { status: 500 })
+  }
+  const token = tokenResult.value
+
+  const [configOwner, configRepo] = body.configRepo.split('/')
+  if (!configOwner || !configRepo) {
+    return new Response(JSON.stringify({ error: 'configRepo muss "owner/repo" sein' }), {
+      status: 400,
+    })
+  }
+
+  const sourceContentPath: string =
+    (
+      (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+        | { storage?: { contentPath?: string } }
+        | undefined
+    )?.storage?.contentPath ?? 'content'
+
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'Content-Type': 'application/json',
+  }
+
+  const ghBase = (owner: string, repo: string, path: string) =>
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}`
+
+  // 1. Read editors + global from website repo (best-effort — both files
+  //    are optional in single-mode setups).
+  const sourceEditors = await readOptional(
+    ghBase(sourceStorage.owner, sourceStorage.repo, `${sourceContentPath}/_editors.json`),
+    `?ref=${sourceStorage.branch}`,
+    headers,
+  )
+  const sourceGlobal = await readOptional(
+    ghBase(sourceStorage.owner, sourceStorage.repo, `${sourceContentPath}/_global_config.json`),
+    `?ref=${sourceStorage.branch}`,
+    headers,
+  )
+
+  // 2. Write copies into config repo. (Branch defaults to 'main' since the
+  //    user just created the repo; we don't expose a branch override here.)
+  const configBranch = 'main'
+
+  const editorsCommit = sourceEditors
+    ? await putFile(
+        ghBase(configOwner, configRepo, 'content/_editors.json'),
+        sourceEditors,
+        configBranch,
+        'chore(migrate): copy editors from website repo',
+        headers,
+      )
+    : true
+
+  const globalCommit = sourceGlobal
+    ? await putFile(
+        ghBase(configOwner, configRepo, 'content/_global_config.json'),
+        sourceGlobal,
+        configBranch,
+        'chore(migrate): copy global config from website repo',
+        headers,
+      )
+    : true
+
+  // 3. Initialise websites.json with the current setup as the first entry.
+  const previewOrigin = body.previewOrigin ?? process.env.PUBLIC_SITE_URL ?? 'http://localhost:4321'
+
+  const initialEntry: WebsiteEntry = {
+    id: 'main',
+    name: sourceStorage.repo,
+    repo: `${sourceStorage.owner}/${sourceStorage.repo}`,
+    branch: sourceStorage.branch,
+    previewOrigin,
+    githubApp: {
+      appId: process.env.GITHUB_APP_ID ?? '',
+      installationId: process.env.GITHUB_APP_INSTALLATION_ID ?? '',
+    },
+  }
+
+  const websitesContent = JSON.stringify({ websites: [initialEntry] }, null, 2)
+
+  const websitesCommit = await putFile(
+    ghBase(configOwner, configRepo, 'websites.json'),
+    websitesContent,
+    configBranch,
+    'feat(migrate): initialise websites.json with current single-mode setup',
+    headers,
+  )
+
+  return new Response(
+    JSON.stringify({
+      ok: true,
+      committed: {
+        editors: editorsCommit,
+        globalConfig: globalCommit,
+        websites: websitesCommit,
+      },
+      // Echo back the values the user still has to set themselves.
+      manual: {
+        configRepo: body.configRepo,
+        configInstallationId: body.configInstallationId,
+        configBranch,
+        envChanges: {
+          add: {
+            SETZKASTEN_CONFIG_REPO: body.configRepo,
+            SETZKASTEN_CONFIG_BRANCH: configBranch,
+            GITHUB_APP_CONFIG_INSTALLATION_ID: body.configInstallationId,
+          },
+        },
+      },
+    }),
+    { status: 200, headers: { 'Content-Type': 'application/json' } },
+  )
+}
+
+async function readOptional(
+  url: string,
+  qs: string,
+  headers: Record<string, string>,
+): Promise<string | null> {
+  const res = await fetch(url + qs, { headers })
+  if (!res.ok) return null
+  const data = (await res.json()) as { content: string; encoding: string }
+  return data.encoding === 'base64'
+    ? Buffer.from(data.content, 'base64').toString('utf-8')
+    : data.content
+}
+
+async function putFile(
+  url: string,
+  content: string,
+  branch: string,
+  message: string,
+  headers: Record<string, string>,
+): Promise<boolean> {
+  // Read existing SHA so we can update an existing file rather than 422.
+  let sha: string | undefined
+  try {
+    const existing = await fetch(`${url}?ref=${branch}`, { headers })
+    if (existing.ok) {
+      const data = (await existing.json()) as { sha?: string }
+      sha = data.sha
+    }
+  } catch {
+    /* file doesn't exist — fine */
+  }
+
+  const body: Record<string, unknown> = {
+    message: withTrailers(message),
+    content: Buffer.from(content).toString('base64'),
+    branch,
+  }
+  if (sha) body.sha = sha
+
+  const res = await fetch(url, { method: 'PUT', headers, body: JSON.stringify(body) })
+  return res.ok
+}