@setzkasten-cms/astro-admin 0.6.0 → 1.1.0

package/src/api-routes/pages.ts

@@ -1,17 +1,149 @@
 import type { APIRoute } from 'astro'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { readPagesMeta, type PagesMetaTarget } from './_pages-meta-store'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { cachedFetch } from './_github-cache'
+
+interface PageInfo {
+  path: string
+  pageKey: string
+  label: string
+  hasConfig: boolean
+  /** Unix-ms timestamp of the page's last Setzkasten-driven commit, when
+   *  `_pages-meta.json` knows about the page. */
+  lastModified?: number
+}
+
+// Build-time constant injected by the Vite define plugin — always available in
+// compiled API routes (unlike page-ssr injectScript which only runs for SSR pages).
+declare const __SETZKASTEN_PAGES__: PageInfo[] | undefined
 
 /**
- * Returns the list of pages detected at build time.
- * The pages are scanned from src/pages/ by the integration hook
- * and injected into globalThis.__SETZKASTEN_PAGES__.
+ * Returns the list of pages scanned at build time.
+ * Reads the Vite build-time constant first; falls back to globalThis for
+ * local dev / test environments where the define is not applied.
  *
+ * Only valid in single-mode where the admin and the website share the same
+ * Astro project. Multi-mode has to fetch the page list per website at
+ * runtime (see {@link fetchPagesFromGitHub}).
+ */
+export function resolvePages(): PageInfo[] {
+  const buildPages = typeof __SETZKASTEN_PAGES__ !== 'undefined' ? __SETZKASTEN_PAGES__ : null
+  return buildPages ?? (globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ as PageInfo[] ?? []
+}
+
+/**
  * GET /api/setzkasten/pages
+ *
+ * Single-mode: returns the build-time scan from the admin's own Astro
+ * project, enriched with `_pages-meta.json` timestamps from the
+ * (single) repo.
+ *
+ * Multi-mode: the X-SK-Website header selects one of the registered
+ * websites. The admin doesn't have build-time access to that website's
+ * `src/pages/` directory, so we fetch it via the GitHub Contents API
+ * (cached for 5 min), then enrich with the per-website
+ * `_pages-meta.json`. Without this branch, every website in Multi-Mode
+ * would see the admin's own page list — typically a single "index"
+ * stub — instead of its real pages.
  */
-export const GET: APIRoute = async () => {
-  const pages = (globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ ?? []
+export const GET: APIRoute = async ({ request }) => {
+  const isMulti = request.headers.get('x-sk-website') !== null
+  const pages = isMulti
+    ? await fetchPagesFromGitHub(request).catch(() => [])
+    : resolvePages()
+
+  const enriched = await enrichWithLastModified(pages, request).catch(() => pages)
 
-  return new Response(JSON.stringify({ pages }), {
+  return new Response(JSON.stringify({ pages: enriched }), {
     status: 200,
     headers: { 'Content-Type': 'application/json' },
   })
 }
+
+interface ContentsApiEntry {
+  type: 'file' | 'dir' | 'symlink' | 'submodule'
+  name: string
+  path: string
+}
+
+/**
+ * Lists the website's `src/pages/` directory via the GitHub Contents API
+ * and turns it into PageInfo entries. Only top-level `.astro` files
+ * (excluding `_layout.astro` and other underscore-prefixed privates and
+ * dynamic `[slug].astro` routes) become editable pages.
+ *
+ * Cached for 5 minutes per (owner, repo, branch) — the page list is a
+ * structural change that rarely happens during a normal editing session.
+ */
+async function fetchPagesFromGitHub(request: Request): Promise<PageInfo[]> {
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) return []
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return []
+
+  const { owner, repo, branch } = storage
+  const cacheKey = `pages-list:${owner}/${repo}:${branch}`
+  return cachedFetch(cacheKey, 5 * 60_000, async () => {
+    const url = `https://api.github.com/repos/${owner}/${repo}/contents/src/pages?ref=${branch}`
+    const res = await fetch(url, {
+      headers: {
+        Authorization: `Bearer ${tokenResult.value}`,
+        Accept: 'application/vnd.github+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+    if (!res.ok) return []
+    const entries = (await res.json()) as ContentsApiEntry[]
+    if (!Array.isArray(entries)) return []
+
+    const pages: PageInfo[] = []
+    for (const entry of entries) {
+      if (entry.type !== 'file') continue
+      if (!entry.name.endsWith('.astro')) continue
+      // Skip privates (_layout.astro etc.) and dynamic routes ([slug].astro).
+      if (entry.name.startsWith('_') || entry.name.startsWith('[')) continue
+      const pageKey = entry.name.slice(0, -'.astro'.length)
+      pages.push({
+        path: entry.path,
+        pageKey,
+        label: pageKey === 'index' ? 'Startseite' : pageKey,
+        hasConfig: true,
+      })
+    }
+    return pages
+  })
+}
+
+async function enrichWithLastModified(
+  pages: PageInfo[],
+  request: Request,
+): Promise<PageInfo[]> {
+  if (pages.length === 0) return pages
+
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) return pages
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return pages
+
+  const serverConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { storage?: { contentPath?: string } }
+    | undefined
+  const target: PagesMetaTarget = {
+    owner: storage.owner,
+    repo: storage.repo,
+    branch: storage.branch,
+    contentPath: serverConfig?.storage?.contentPath ?? 'content',
+    token: tokenResult.value,
+  }
+
+  const meta = await readPagesMeta(target)
+  if (!meta.ok) return pages
+
+  return pages.map((p) => {
+    const ts = meta.value.meta.pages[p.pageKey]?.lastModified
+    return ts !== undefined ? { ...p, lastModified: ts } : p
+  })
+}

package/src/api-routes/section-add.ts

@@ -1,6 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { generateAddKey, addToPageConfig } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/add
@@ -19,8 +22,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -34,7 +40,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
@@ -47,6 +53,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionType are required' }, { status: 400 })
     }
 
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -97,12 +106,21 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) },
         { path: sectionJsonPath, content: JSON.stringify(defaultContent, null, 2) },
       ],
-      `content: add ${sectionType} section "${newKey}" to ${pageKey}`,
+      withTrailers(
+        `content: add ${sectionType} section "${newKey}" to ${pageKey}`,
+        parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
+      ),
       headers,
     )
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, newKey, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-add error:', error)

package/src/api-routes/section-commit-pending.ts

@@ -1,7 +1,10 @@
 import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
-import { resolveStorageConfig } from './_storage-config'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/commit-pending
@@ -20,8 +23,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -35,11 +41,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch } = storage
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = body.contentPath || serverConfig?.storage?.contentPath || 'content'
     const { pageKey, pageConfig, sections, edits = [] } = body
 
@@ -47,6 +54,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey, pageConfig, and sections are required' }, { status: 400 })
     }
 
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -79,7 +89,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       const keys = edits.map(s => s.key).join(', ')
       parts.push(`update ${edits.length} section${edits.length > 1 ? 's' : ''} (${keys})`)
     }
-    const commitMessage = `content: ${parts.length > 0 ? parts.join(', ') : 'update page config'} on ${pageKey}`
+    const editorEmail = parseSession(cookies.get('setzkasten_session')?.value)?.user?.email
+    const commitMessage = withTrailers(
+      `content: ${parts.length > 0 ? parts.join(', ') : 'update page config'} on ${pageKey}`,
+      editorEmail,
+    )
     const commitResult = await batchCommit(owner, repo, branch, files, commitMessage, headers)
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
@@ -96,6 +110,15 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       )
     }
 
+    // Best-effort recency tracking. Metadata write must not derail the
+    // primary save — surface failures via the trailing return only.
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    const metaContentPath: string = serverConfig?.storage?.contentPath ?? 'content'
+    await recordPageEdit(
+      { owner, repo, branch, contentPath: metaContentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-commit-pending error:', error)

package/src/api-routes/section-delete.ts

@@ -1,6 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { removeFromPageConfig } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * DELETE /api/setzkasten/sections
@@ -16,8 +19,11 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -29,11 +35,12 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = body.contentPath || serverConfig?.storage?.contentPath || 'content'
     const { pageKey, sectionKey } = body
 
@@ -41,6 +48,9 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
 
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -65,12 +75,21 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       owner, repo, branch,
       [{ path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) }],
       [sectionJsonPath],
-      `content: remove ${sectionKey} section from ${pageKey}`,
+      withTrailers(
+        `content: remove ${sectionKey} section from ${pageKey}`,
+        parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
+      ),
       headers,
     )
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-delete error:', error)

package/src/api-routes/section-duplicate.ts

@@ -1,6 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/duplicate
@@ -16,8 +19,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -29,11 +35,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+    const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = body.contentPath || serverConfig?.storage?.contentPath || 'content'
     const { pageKey, sectionKey } = body
 
@@ -41,6 +48,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
 
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    if (denied) return denied
+
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: 'application/vnd.github+json',
@@ -77,10 +87,20 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     }
 
     const commitResult = await batchCommit(owner, repo, branch, filesToCommit,
-      `content: duplicate ${sectionKey} → ${newKey} on ${pageKey}`, headers)
+      withTrailers(
+        `content: duplicate ${sectionKey} → ${newKey} on ${pageKey}`,
+        parseSession(cookies.get('setzkasten_session')?.value)?.user?.email,
+      ),
+      headers)
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, newKey, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-duplicate error:', error)

package/src/api-routes/section-prepare-copy.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig } from './_storage-config'
+import { resolveStorageConfigForRequest } from './_storage-config'
 import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/prepare-copy
@@ -13,14 +14,24 @@ import { generateDuplicateKey, duplicateInPageConfig } from './section-managemen
  * The client uses this to update local state + preview draft immediately.
  * Only committed to GitHub when the user presses "Live setzen".
  *
+ * Note: this route intentionally does NOT call recordPageEdit. The
+ * page-recency spec lists it as a "mutating route", but in practice it
+ * only reads and returns — the real GitHub commit happens later in
+ * commit-pending, which records the edit. Bumping the timestamp here
+ * would mark a page as recently-modified even when the user opens the
+ * duplicate dialog and then cancels without committing.
+ *
  * Body: { pageKey, sectionKey, owner?, repo?, branch?, contentPath? }
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -32,7 +43,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch } = storage
 

package/src/api-routes/section-prepare.ts

@@ -1,6 +1,8 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { generateAddKey } from './section-management'
+import { parseSession, guardPageAccess } from './_auth-guard'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/prepare
@@ -19,8 +21,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -32,7 +37,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch } = storage
 
@@ -45,6 +50,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionType are required' }, { status: 400 })
     }
 
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    if (denied) return denied
+
     // 1. Read current page config from GitHub to determine existing keys
     const configKey = '_' + pageKey.replace(/\//g, '_')
     const pageConfigPath = `${contentPath}/pages/${configKey}.json`

package/src/api-routes/setup-github-app-bounce.ts

@@ -0,0 +1,52 @@
+import type { APIRoute } from 'astro'
+import { getPublicOrigin } from './_vercel-origin.js'
+
+/**
+ * Server-side manifest bounce for the GitHub App Manifest flow.
+ *
+ * GET /api/setzkasten/setup/github-app/bounce?name=my-app
+ *
+ * Generates the GitHub App manifest JSON using the server-known origin,
+ * then returns a minimal HTML page that auto-submits a form to GitHub.
+ */
+export const GET: APIRoute = async ({ url, request }) => {
+  const name = url.searchParams.get('name')?.trim() || 'Setzkasten CMS'
+  const origin = getPublicOrigin(request)
+
+  const manifest = JSON.stringify({
+    name,
+    url: origin,
+    redirect_url: `${origin}/api/setzkasten/setup/github-app/callback`,
+    setup_url: `${origin}/api/setzkasten/setup/github-app/installed`,
+    setup_on_update: false,
+    public: false,
+    default_permissions: { contents: 'write' },
+  })
+
+  const safeManifest = manifest.replace(/&/g, '&').replace(/"/g, '"')
+
+  const html = `<!DOCTYPE html>
+<html lang="de">
+<head>
+  <meta charset="UTF-8">
+  <title>Weiterleitung zu GitHub…</title>
+  <style>
+    body { font-family: sans-serif; display: flex; align-items: center;
+           justify-content: center; height: 100vh; margin: 0;
+           background: #0d1117; color: #e6edf3; }
+    p { opacity: .6; }
+  </style>
+</head>
+<body>
+  <p>Weiterleitung zu GitHub…</p>
+  <form id="f" method="POST" action="https://github.com/settings/apps/new">
+    <input type="hidden" name="manifest" value="${safeManifest}">
+  </form>
+  <script>document.getElementById('f').submit()</script>
+</body>
+</html>`
+
+  return new Response(html, {
+    headers: { 'Content-Type': 'text/html; charset=utf-8' },
+  })
+}

package/src/api-routes/setup-github-app-branches.ts

@@ -0,0 +1,63 @@
+import type { APIRoute } from 'astro'
+import { listRepoBranches } from '@setzkasten-cms/github-adapter'
+import { requireAdmin } from './_auth-guard'
+
+/**
+ * GET /api/setzkasten/setup/github-app/branches?installation=<id>&repo=<owner/repo>
+ *
+ * Returns the list of branches for one repo, fetched via the installation
+ * token of the given installation. Used by the WebsitesView form so the
+ * Branch field becomes a dropdown after the user picks a repo.
+ *
+ * Admin-only — same reasoning as /setup/github-app/repos.
+ */
+export const GET: APIRoute = async ({ cookies, url }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const appId = process.env.GITHUB_APP_ID
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
+  if (!appId || !privateKey) {
+    return new Response(
+      JSON.stringify({
+        error:
+          'GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.',
+      }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  const installationId = url.searchParams.get('installation')
+  const repoFull = url.searchParams.get('repo')
+  if (!installationId || !repoFull) {
+    return new Response(
+      JSON.stringify({ error: 'Both ?installation and ?repo (owner/name) are required.' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  const slash = repoFull.indexOf('/')
+  if (slash <= 0 || slash === repoFull.length - 1) {
+    return new Response(
+      JSON.stringify({ error: '?repo must be in "owner/name" format.' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+  const owner = repoFull.slice(0, slash)
+  const repo = repoFull.slice(slash + 1)
+
+  const result = await listRepoBranches({ appId, privateKey }, installationId, owner, repo)
+  if (!result.ok) {
+    const status =
+      result.error.type === 'auth' ? 401 : result.error.type === 'not-found' ? 404 : 502
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  return new Response(JSON.stringify({ branches: result.value }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}