@setzkasten-cms/astro-admin 0.8.0 → 1.1.0

package/src/api-routes/_website-resolver.ts

@@ -0,0 +1,243 @@
+import {
+  type Result,
+  type WebsiteEntry,
+  type WebsitesRegistryProvider,
+  err,
+  notFoundError,
+  ok,
+  validationError,
+} from '@setzkasten-cms/core'
+import { GitHubAppClient, GitHubWebsitesRegistry } from '@setzkasten-cms/github-adapter'
+
+/**
+ * Per-request resolver for the active website.
+ *
+ * Standalone mode: looks up the entry matching the X-SK-Website request
+ * header in the websites registry (config-repo).
+ *
+ * Single-repo mode (backward compat): returns a synthesized WebsiteEntry
+ * built from the integration's build-time storage + GitHub-App ENV vars.
+ * The header is ignored.
+ */
+
+interface MultiState {
+  readonly mode: 'multi'
+  readonly registry: WebsitesRegistryProvider
+}
+
+interface SingleRepoState {
+  readonly mode: 'single'
+  readonly synthesized: WebsiteEntry
+}
+
+type ResolverState = MultiState | SingleRepoState | null
+
+let state: ResolverState = null
+
+/** Test/admin hook: install or clear the resolver state. */
+export function __resetWebsiteResolverForTests(next: ResolverState): void {
+  state = next
+}
+
+/**
+ * Configure the resolver state explicitly. Currently only the test suite
+ * uses this — production wiring runs lazily through
+ * {@link bootstrapResolverFromGlobals} on the first request, since the
+ * Astro integration doesn't have an obvious "initialize once" hook
+ * (`astro:server:start` runs in dev only). The export stays available so
+ * a future integration-startup wire-up has a typed entry point.
+ */
+export function configureWebsiteResolver(next: ResolverState): void {
+  state = next
+}
+
+interface FullConfig {
+  storage?:
+    | {
+        // 'single' is canonical; 'github-app' is the legacy alias.
+        kind: 'single' | 'github-app' | 'local'
+        repo?: string
+        appId?: string
+        installationId?: string
+      }
+    | {
+        // 'multi' is canonical; 'standalone' is the legacy alias.
+        kind: 'multi' | 'standalone'
+        configRepo: string
+        configBranch?: string
+        appId: string
+        installationId: string
+      }
+}
+
+function isMultiKind(kind: unknown): boolean {
+  return kind === 'multi' || kind === 'standalone'
+}
+
+interface BuildTimeStorage {
+  owner: string
+  repo: string
+  branch: string
+}
+
+// Vite define-injected literals. The integration (`packages/astro/src/
+// integration.ts`) sets them via the build-time Vite define plugin, so by
+// the time this code runs in a compiled API route the literals are
+// substituted with their JSON values. globalThis-style reads break on
+// cold-start serverless functions because the integration's
+// page-ssr injectScript only fires for SSR pages, never for API-only
+// invocations.
+declare const __SETZKASTEN_FULL_CONFIG__: FullConfig | null | undefined
+declare const __SETZKASTEN_STORAGE__: BuildTimeStorage | null | undefined
+declare const __SETZKASTEN_WEBSITE_URL__: string | undefined
+
+/**
+ * Lazy bootstrap from build-time globals. Reads `__SETZKASTEN_FULL_CONFIG__`
+ * and `__SETZKASTEN_STORAGE__` (set by the Astro integration via Vite
+ * define — literals only, NOT globalThis) to derive single-repo or
+ * standalone state. Idempotent — does nothing if the resolver is already
+ * configured.
+ */
+export function bootstrapResolverFromGlobals(): void {
+  if (state !== null) return
+
+  const fullConfig =
+    (typeof __SETZKASTEN_FULL_CONFIG__ !== 'undefined' ? __SETZKASTEN_FULL_CONFIG__ : null) ??
+    ((globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as
+      | FullConfig
+      | undefined)
+  const buildStorage =
+    (typeof __SETZKASTEN_STORAGE__ !== 'undefined' ? __SETZKASTEN_STORAGE__ : null) ??
+    ((globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ as
+      | BuildTimeStorage
+      | undefined)
+
+  const storageKind = fullConfig?.storage?.kind
+  if (isMultiKind(storageKind)) {
+    const standalone = fullConfig?.storage as {
+      kind: 'multi' | 'standalone'
+      configRepo: string
+      configBranch?: string
+      appId: string
+      installationId: string
+    }
+    const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
+    if (!privateKey) {
+      // Without the private key the resolver can't mint installation tokens;
+      // every Multi-Mode request would 400 with a confusing "X-SK-Website
+      // header missing" message instead of the actual root cause.
+      console.error(
+        '[setzkasten] Multi-mode resolver bootstrap failed: GITHUB_APP_PRIVATE_KEY is not set in env. ' +
+          'Set it on the standalone-admin deployment so the registry can be loaded.',
+      )
+      return
+    }
+    const [owner, repo] = standalone.configRepo.split('/')
+    if (!owner || !repo) {
+      console.error(
+        `[setzkasten] Multi-mode resolver bootstrap failed: storage.configRepo "${standalone.configRepo}" is not in "owner/repo" form.`,
+      )
+      return
+    }
+
+    const client = new GitHubAppClient(
+      { appId: standalone.appId, installationId: standalone.installationId, privateKey },
+      { owner, repo, branch: standalone.configBranch ?? 'main' },
+    )
+    const registry = new GitHubWebsitesRegistry({
+      reader: { read: (path) => client.getFileContent(path) },
+      path: 'websites.json',
+      ttlMs: 60_000,
+    })
+    state = { mode: 'multi', registry }
+    return
+  }
+
+  if (!buildStorage) return
+
+  const appId = process.env.GITHUB_APP_ID ?? ''
+  const installationId = process.env.GITHUB_APP_INSTALLATION_ID ?? ''
+  // Source of truth: __SETZKASTEN_WEBSITE_URL__ Vite define (mirrors
+  // astro.config.mjs#site, dev-server origin in dev) — same value the
+  // updater registers licenses with. As a Vite literal it survives
+  // cold-start API-only function invocations (unlike __SETZKASTEN_CONFIG__
+  // which is only set via injectScript on page-ssr renders).
+  // PUBLIC_SITE_URL stays as an escape hatch for setups without `site:`.
+  const websiteUrlLiteral =
+    typeof __SETZKASTEN_WEBSITE_URL__ !== 'undefined' ? __SETZKASTEN_WEBSITE_URL__ : ''
+  const previewOrigin =
+    websiteUrlLiteral ||
+    process.env.PUBLIC_SITE_URL ||
+    'http://localhost:4321'
+
+  state = {
+    mode: 'single',
+    synthesized: {
+      id: 'default',
+      name: buildStorage.repo,
+      repo: `${buildStorage.owner}/${buildStorage.repo}`,
+      branch: buildStorage.branch,
+      previewOrigin,
+      githubApp: { appId, installationId },
+    },
+  }
+}
+
+const HEADER = 'x-sk-website'
+
+export async function resolveCurrentWebsite(request: Request): Promise<Result<WebsiteEntry>> {
+  if (state === null) bootstrapResolverFromGlobals()
+  if (state === null) {
+    return err(
+      validationError(
+        ['websiteResolver'],
+        'not-configured',
+        'Website resolver not configured — call configureWebsiteResolver() at integration startup.',
+      ),
+    )
+  }
+
+  if (state.mode === 'single') {
+    return ok(state.synthesized)
+  }
+
+  const requested = request.headers.get(HEADER)?.trim() ?? ''
+
+  if (!requested) {
+    const list = await state.registry.list()
+    if (!list.ok) return list
+
+    const sole = list.value.length === 1 ? list.value[0] : undefined
+    if (sole) return ok(sole)
+
+    return err(
+      validationError(
+        [HEADER],
+        'required',
+        'Standalone mode requires the X-SK-Website request header (registry has multiple entries).',
+      ),
+    )
+  }
+
+  const found = await state.registry.get(requested)
+  if (!found.ok) return found
+  if (!found.value) return err(notFoundError(`website:${requested}`))
+
+  return ok(found.value)
+}
+
+/**
+ * Lists all websites known to the resolver.
+ * Standalone mode: defers to the registry. Single-repo mode: returns the
+ * synthesized entry as a one-element list.
+ */
+export async function listAllWebsites(): Promise<Result<readonly WebsiteEntry[]>> {
+  if (state === null) bootstrapResolverFromGlobals()
+  if (state === null) {
+    return err(
+      validationError(['websiteResolver'], 'not-configured', 'Website resolver not configured.'),
+    )
+  }
+  if (state.mode === 'single') return ok([state.synthesized])
+  return state.registry.list()
+}

package/src/api-routes/_websites-store.ts

@@ -0,0 +1,120 @@
+/**
+ * Read/write the standalone admin's `websites.json` from the config repo.
+ * Pure HTTP — no caching here; the GitHub-side cache lives in
+ * GitHubWebsitesRegistry, which API routes invalidate explicitly after a
+ * successful write.
+ */
+
+import {
+  type Result,
+  type WebsitesRegistry,
+  err,
+  networkError,
+  ok,
+  parseWebsitesRegistry,
+} from '@setzkasten-cms/core'
+import { withTrailers } from './_commit-trailers'
+
+interface ConfigRepoTarget {
+  readonly owner: string
+  readonly repo: string
+  readonly branch: string
+  readonly path: string
+  readonly token: string
+}
+
+interface ReadResult {
+  readonly registry: WebsitesRegistry
+  readonly sha: string | null
+}
+
+const githubHeaders = (token: string) => ({
+  Authorization: `Bearer ${token}`,
+  Accept: 'application/vnd.github+json',
+  'X-GitHub-Api-Version': '2022-11-28',
+  'Content-Type': 'application/json',
+})
+
+export async function readWebsitesRegistryFromGitHub(
+  target: ConfigRepoTarget,
+): Promise<Result<ReadResult>> {
+  try {
+    const url = `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${target.path}?ref=${target.branch}`
+    const response = await fetch(url, { headers: githubHeaders(target.token) })
+
+    if (response.status === 404) {
+      return ok({ registry: { websites: [] }, sha: null })
+    }
+    if (!response.ok) {
+      return err(networkError(`GitHub returned ${response.status} reading ${target.path}`))
+    }
+
+    const data = (await response.json()) as { content: string; sha: string }
+    const decoded = Buffer.from(data.content, 'base64').toString('utf-8')
+    const parsed = parseWebsitesRegistry(decoded)
+    if (!parsed.ok) return parsed
+
+    return ok({ registry: parsed.value, sha: data.sha })
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : 'Unknown error'
+    return err(networkError(`Failed to read ${target.path}: ${message}`, cause))
+  }
+}
+
+export async function writeWebsitesRegistryToGitHub(
+  target: ConfigRepoTarget,
+  registry: WebsitesRegistry,
+  previousSha: string | null,
+  commitMessage: string,
+): Promise<Result<void>> {
+  const body: Record<string, unknown> = {
+    message: withTrailers(commitMessage),
+    content: Buffer.from(JSON.stringify(registry, null, 2)).toString('base64'),
+    branch: target.branch,
+  }
+  if (previousSha) body.sha = previousSha
+
+  try {
+    const response = await fetch(
+      `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${target.path}`,
+      { method: 'PUT', headers: githubHeaders(target.token), body: JSON.stringify(body) },
+    )
+
+    if (!response.ok) {
+      const text = await response.text()
+      return err(networkError(`GitHub PUT failed: ${response.status} ${text}`))
+    }
+    return ok(undefined)
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : 'Unknown error'
+    return err(networkError(`Failed to write ${target.path}: ${message}`, cause))
+  }
+}
+
+/**
+ * Reads the standalone-admin storage config out of the build-time
+ * `__SETZKASTEN_FULL_CONFIG__` global. Returns null when the deployment
+ * is not in standalone mode (single-repo setups have no websites.json).
+ */
+export function resolveConfigRepoTargetFromGlobals(token: string): ConfigRepoTarget | null {
+  const fullConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as
+    | { storage?: { kind: string; configRepo?: string; configBranch?: string } }
+    | undefined
+
+  // Accept the canonical 'multi' as well as the legacy 'standalone' alias.
+  // defineConfig() rewrites legacy values, but tests and direct setters of
+  // __SETZKASTEN_FULL_CONFIG__ may pass either form.
+  const storage = fullConfig?.storage
+  if (!storage || (storage.kind !== 'multi' && storage.kind !== 'standalone')) return null
+  if (!storage.configRepo) return null
+  const [owner, repo] = storage.configRepo.split('/')
+  if (!owner || !repo) return null
+
+  return {
+    owner,
+    repo,
+    branch: storage.configBranch ?? 'main',
+    path: 'websites.json',
+    token,
+  }
+}

package/src/api-routes/asset-proxy.ts

@@ -1,4 +1,5 @@
 import type { APIRoute } from 'astro'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * Asset proxy – serves images from the private GitHub repo.
@@ -7,7 +8,7 @@ import type { APIRoute } from 'astro'
  * GET /api/setzkasten/asset/public/images/about/LP_Logo.png
  * → fetches from GitHub API and returns the raw binary with correct Content-Type.
  */
-export const GET: APIRoute = async ({ params, cookies }) => {
+export const GET: APIRoute = async ({ params, request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) {
     return new Response('Unauthorized', { status: 401 })
@@ -18,10 +19,11 @@ export const GET: APIRoute = async ({ params, cookies }) => {
     return new Response('Missing path', { status: 400 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   const config = (globalThis as any).__SETZKASTEN_CONFIG__
   if (!config?.storage) {

package/src/api-routes/auth-callback.ts

@@ -1,5 +1,6 @@
 import type { APIRoute } from 'astro'
 import { createGitHubAuth } from '@setzkasten-cms/auth'
+import { sessionCookieOptions } from './_session-cookie.js'
 
 /**
  * GitHub OAuth callback handler.
@@ -59,13 +60,11 @@ export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
     }
 
     const session = sessionResult.value
-    cookies.set('setzkasten_session', JSON.stringify({ user: session.user, expiresAt: session.expiresAt }), {
-      httpOnly: true,
-      secure: import.meta.env.PROD,
-      sameSite: 'lax',
-      path: '/',
-      maxAge: 60 * 60 * 24 * 7,
-    })
+    cookies.set(
+      'setzkasten_session',
+      JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+      sessionCookieOptions(import.meta.env.PROD),
+    )
 
     return redirect(adminPath)
   } catch {

package/src/api-routes/auth-logout.ts

@@ -1,9 +1,13 @@
 import type { APIRoute } from 'astro'
+import { sessionCookieOptions } from './_session-cookie.js'
 
 /**
  * Logout – clears the session cookie and redirects to home.
+ * Mirrors the same `domain` attribute used when the cookie was set so the
+ * browser actually deletes it on subdomains in standalone-admin setups.
  */
 export const GET: APIRoute = async ({ cookies, redirect }) => {
-  cookies.delete('setzkasten_session', { path: '/' })
+  const opts = sessionCookieOptions(false)
+  cookies.delete('setzkasten_session', { path: '/', domain: opts.domain })
   return redirect('/')
 }

package/src/api-routes/auth-setzkasten-login.ts

@@ -3,6 +3,8 @@ import { verifyFirebaseJwt } from '@setzkasten-cms/auth'
 import { readEditorsFile } from './editors'
 import { readGlobalConfig } from './global-config'
 import { resolveStorageConfig } from './_storage-config'
+import { resolveConfigRepoToken } from './_github-token'
+import { sessionCookieOptions } from './_session-cookie.js'
 
 /**
  * POST /api/setzkasten/auth/setzkasten-login
@@ -10,6 +12,12 @@ import { resolveStorageConfig } from './_storage-config'
  *
  * Verifies the Firebase JWT against Firebase's public JWKS (no secret needed).
  * Access is gated exclusively by _editors.json (fail-closed).
+ *
+ * Editors live in the build-time-configured repo regardless of which website
+ * the request is targeting — in single-mode that's the website's repo, in
+ * multi-mode it's the config-repo. The per-request resolver and X-SK-Website
+ * header are intentionally NOT consulted here, because login predates any
+ * website selection.
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
   const body = await request.json().catch(() => null)
@@ -24,9 +32,14 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Storage not configured', { status: 500 })
   }
   const { owner, repo, branch } = storage
-  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
   const contentPath: string = serverConfig?.storage?.contentPath ?? 'content'
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN ?? ''
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(`GitHub token unavailable: ${tokenResult.error.message}`, { status: 503 })
+  }
 
   // Verify that SetzKastenLogin is configured (firebaseConfig must exist in global config)
   const globalCfg = await readGlobalConfig().catch(() => null)
@@ -35,7 +48,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
 
   // Read editors list — fail-closed: if unreadable, deny all logins
-  const editors = await readEditorsFile(owner, repo, branch, contentPath, githubToken)
+  const editors = await readEditorsFile(owner, repo, branch, contentPath, tokenResult.value)
   if (editors === null) {
     return new Response('Editors list unavailable — no access granted', { status: 503 })
   }
@@ -48,13 +61,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
 
   const session = result.value
-  cookies.set('setzkasten_session', JSON.stringify({ user: session.user, expiresAt: session.expiresAt }), {
-    httpOnly: true,
-    secure: import.meta.env.PROD,
-    sameSite: 'lax',
-    path: '/',
-    maxAge: 60 * 60 * 24 * 7,
-  })
+  cookies.set(
+    'setzkasten_session',
+    JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+    sessionCookieOptions(import.meta.env.PROD),
+  )
 
   return Response.json({ ok: true })
 }

package/src/api-routes/catalog-add.ts

@@ -1,10 +1,11 @@
 import type { APIRoute } from 'astro'
 import { registry } from '@setzkasten-cms/catalog'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { validateCatalogAddBody, buildCatalogAddCommit } from './catalog-helpers'
 import { generateAddKey, addToPageConfig } from './section-management'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/catalog/add
@@ -19,8 +20,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as Record<string, unknown>
@@ -34,7 +38,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const { templateName, pageKey } = validated
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
@@ -42,7 +46,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = (body.contentPath as string) || serverConfig?.storage?.contentPath || 'content'
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     const headers = {

package/src/api-routes/catalog-export.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
 import { exportTemplate } from '@setzkasten-cms/catalog'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/catalog/export
@@ -14,8 +15,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -30,7 +34,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'sectionKey is required' }, { status: 400 })
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 

package/src/api-routes/config.ts

@@ -2,10 +2,11 @@ import type { APIRoute } from 'astro'
 import { readGlobalConfig } from './global-config'
 
 /**
- * Returns the full SetzKastenConfig as JSON.
- * The config is injected into globalThis by the integration at build time.
- *
  * GET /api/setzkasten/config
+ *
+ * Returns the full SetzKastenConfig as JSON. Fields from GlobalConfig
+ * (stored in _global_config.json) are merged over the static config so
+ * admins can change theme and Firebase settings without a code deployment.
  */
 export const GET: APIRoute = async () => {
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ ?? {}
@@ -13,13 +14,19 @@ export const GET: APIRoute = async () => {
 
   const globalCfg = await readGlobalConfig().catch(() => null)
 
+  const staticTheme = (config as any).theme ?? {}
+  const globalTheme = globalCfg?.theme ?? {}
+
   const result = {
-    storage: { kind: 'github' },
+    // Default fallback when no config is injected at build time. Real
+    // values are spread from `config` below.
+    storage: { kind: 'local' },
     auth: { providers: ['github'] },
-    theme: {},
     products: {},
     collections: {},
     ...config,
+    // Global config theme overrides static config theme field by field
+    theme: { ...staticTheme, ...globalTheme },
     // Include storage params so the client can create ProxyContentRepository
     _storage: ssrConfig?.storage ?? undefined,
     _hasGitHub: ssrConfig?.hasGitHub ?? false,