@setzkasten-cms/astro-admin 0.8.0 → 1.1.0

package/src/api-routes/editors.ts

@@ -1,12 +1,23 @@
 import type { APIRoute } from 'astro'
 import { resolveStorageConfig } from './_storage-config'
 import { parseSession } from './_auth-guard'
+import { resolveConfigRepoToken } from './_github-token'
 import type { ContentEditorConfig } from '@setzkasten-cms/core'
 import { cachedFetch, invalidateCache } from './_github-cache'
 import { withTrailers } from './_commit-trailers'
 
 const EDITORS_FILE = (contentPath: string) => `${contentPath}/_editors.json`
 
+// In Multi-Mode editors are global across all websites and live in the
+// config-repo; in Single-Mode the config-repo IS the website-repo. Either
+// way the answer is "the build-time-configured storage" — never the
+// per-website storage that the X-SK-Website header would route to.
+function configRepoStorage(): { owner: string; repo: string; branch: string } | null {
+  const storage = resolveStorageConfig()
+  if (!storage) return null
+  return { owner: storage.owner, repo: storage.repo, branch: storage.branch }
+}
+
 // ---------------------------------------------------------------------------
 // GET /api/setzkasten/editors
 // Returns the current editors list from _editors.json.
@@ -17,17 +28,18 @@ export const GET: APIRoute = async ({ cookies }) => {
   const session = parseSession(cookies.get('setzkasten_session')?.value)
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return new Response('GitHub token not configured', { status: 500 })
 
-  const storage = resolveStorageConfig()
+  const storage = configRepoStorage()
   if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
 
-  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
   const { owner, repo, branch } = storage
 
-  const raw = await readEditorsFile(owner, repo, branch, contentPath, githubToken)
+  const raw = await readEditorsFile(owner, repo, branch, contentPath, tokenResult.value)
   return Response.json(raw ?? [])
 }
 
@@ -42,13 +54,14 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
   if (!session) return new Response('Unauthorized', { status: 401 })
   if (session.user.role !== 'admin') return new Response('Forbidden', { status: 403 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return new Response('GitHub token not configured', { status: 500 })
 
-  const storage = resolveStorageConfig()
+  const storage = configRepoStorage()
   if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
 
-  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
   const { owner, repo, branch } = storage
 
@@ -63,7 +76,7 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
   const filePath = EDITORS_FILE(contentPath)
   const fileContent = JSON.stringify(editors, null, 2)
   const headers = {
-    Authorization: `Bearer ${githubToken}`,
+    Authorization: `Bearer ${tokenResult.value}`,
     Accept: 'application/vnd.github+json',
     'X-GitHub-Api-Version': '2022-11-28',
     'Content-Type': 'application/json',
@@ -134,3 +147,59 @@ export async function readEditorsFile(
     return JSON.parse(raw) as ContentEditorConfig[]
   })
 }
+
+/**
+ * Discriminated result for the editors-file fetch. Lets callers decide the
+ * fail-mode policy: the auth-guard wants to ALLOW when the file is genuinely
+ * absent (no restrictions configured) but DENY when the fetch errors out.
+ * The basic readEditorsFile() above returns null for both cases, which is
+ * unsafe for authorization checks.
+ *
+ * Caller is responsible for caching — this function never reads from or
+ * writes to the shared cache, because caching an "error" state would
+ * silently extend privilege-escalation windows.
+ */
+export type EditorsStatus =
+  | { kind: 'absent' }
+  | { kind: 'present'; editors: ContentEditorConfig[] }
+  | { kind: 'error'; message: string }
+
+export async function readEditorsFileStatus(
+  owner: string,
+  repo: string,
+  branch: string,
+  contentPath: string,
+  token: string,
+): Promise<EditorsStatus> {
+  let res: Response
+  try {
+    res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${EDITORS_FILE(contentPath)}?ref=${branch}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
+    )
+  } catch (err) {
+    return { kind: 'error', message: err instanceof Error ? err.message : 'network error' }
+  }
+
+  if (res.status === 404) return { kind: 'absent' }
+  if (!res.ok) {
+    return { kind: 'error', message: `GitHub returned ${res.status}` }
+  }
+
+  try {
+    const data = (await res.json()) as { content: string; encoding: string }
+    const raw =
+      data.encoding === 'base64'
+        ? Buffer.from(data.content, 'base64').toString('utf-8')
+        : data.content
+    return { kind: 'present', editors: JSON.parse(raw) as ContentEditorConfig[] }
+  } catch (err) {
+    return { kind: 'error', message: err instanceof Error ? err.message : 'parse error' }
+  }
+}

package/src/api-routes/github-proxy.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * Server-side proxy for GitHub API calls.
@@ -21,12 +22,11 @@ export const ALL: APIRoute = async ({ params, request, cookies }) => {
     return new Response('Missing path', { status: 400 })
   }
 
-  // GitHub App token from environment (never sent to client)
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   const githubUrl = `https://api.github.com/${githubPath}`
 

package/src/api-routes/global-config.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
 import { parseSession } from './_auth-guard'
 import { resolveStorageConfig } from './_storage-config'
+import { resolveConfigRepoToken } from './_github-token'
 import { cachedFetch, invalidateCache } from './_github-cache'
 import { withTrailers } from './_commit-trailers'
 
@@ -12,6 +13,11 @@ export interface GlobalConfig {
     authDomain: string
     projectId: string
   }
+  theme?: {
+    primaryColor?: string
+    brandName?: string
+    logo?: string
+  }
 }
 
 // ---------------------------------------------------------------------------
@@ -42,7 +48,7 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
     return Response.json({ error: 'Invalid request body' }, { status: 400 })
   }
 
-  const current = await readGlobalConfig() ?? {}
+  const current = (await readGlobalConfig()) ?? {}
   const next: GlobalConfig = { ...current }
   for (const [k, v] of Object.entries(patch)) {
     if (v === null) delete (next as Record<string, unknown>)[k]
@@ -54,23 +60,34 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
 
 // ---------------------------------------------------------------------------
 // Helpers
+//
+// Global config is a Setzkasten-instance-level file that lives in the
+// config-repo regardless of which website the request is targeting:
+// - Single-Mode: config-repo == website-repo, so this is fine
+// - Multi-Mode: config-repo holds editors + global config + websites.json
+// We deliberately ignore the request and X-SK-Website here; otherwise
+// global config would ping-pong between per-website locations as users
+// switch active sites.
 // ---------------------------------------------------------------------------
 
-function getStorageParams() {
-  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+async function getStorageParams() {
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
   const storage = resolveStorageConfig()
   if (!storage) return null
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return null
   return {
     owner: storage.owner,
     repo: storage.repo,
     branch: storage.branch,
     contentPath: serverConfig?.storage?.contentPath ?? 'content',
-    token: (import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN ?? '') as string,
+    token: tokenResult.value,
   }
 }
 
 export async function readGlobalConfig(): Promise<GlobalConfig | null> {
-  const params = getStorageParams()
+  const params = await getStorageParams()
   if (!params) return null
   const { owner, repo, branch, contentPath, token } = params
   const key = `global-config:${owner}/${repo}:${branch}`
@@ -89,7 +106,7 @@ export async function readGlobalConfig(): Promise<GlobalConfig | null> {
 }
 
 export async function writeGlobalConfig(config: GlobalConfig): Promise<void> {
-  const params = getStorageParams()
+  const params = await getStorageParams()
   if (!params) throw new Error('Storage not configured')
   const { owner, repo, branch, contentPath, token } = params
   invalidateCache(`global-config:${owner}/${repo}:${branch}`)

package/src/api-routes/init-add-section.ts

@@ -1,10 +1,11 @@
 import type { APIRoute } from 'astro'
 import type { InferredSection } from '@setzkasten-cms/core/init'
 import { addSectionToConfig } from '@setzkasten-cms/core/init'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { patchTemplateForFields, stripTemplateFallbacks } from '../init/template-patcher-v2'
 import type { RepeatedGroup } from '../init/analyzer-types'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/init/add-section
@@ -21,10 +22,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -38,7 +40,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
       return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
     }
@@ -292,6 +294,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: commitResult.error }, { status: 500 })
     }
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({
       success: true,
       commitSha: commitResult.sha,

package/src/api-routes/init-apply.ts

@@ -3,6 +3,7 @@ import { generateConfigFile, type InferredSection, type ConfigGeneratorInput } f
 import { patchAstroConfig } from '../init/astro-config-patcher'
 import { patchTemplateForFields } from '../init/template-patcher-v2'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 interface ApplyRequest {
   owner: string
@@ -36,10 +37,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as ApplyRequest

package/src/api-routes/init-migrate.ts

@@ -1,8 +1,9 @@
 import type { APIRoute } from 'astro'
 import type { SetzKastenConfig } from '@setzkasten-cms/core'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { patchTemplateForFields } from '../init/template-patcher-v2'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/init/migrate
@@ -21,10 +22,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -35,7 +37,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       componentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
       return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
     }

package/src/api-routes/init-scan-page.ts

@@ -1,9 +1,28 @@
 import type { APIRoute } from 'astro'
 import type { SetzKastenConfig } from '@setzkasten-cms/core'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { extractSectionImports, extractLayoutImport } from '../init/astro-detector'
 import { analyzeAstroSection } from '../init/astro-section-analyzer-v2'
 import type { RepoFile } from '@setzkasten-cms/core/init'
+import { resolveGitHubTokenForRequest } from './_github-token'
+
+// Build-time constant injected by the Vite define plugin — always available in
+// compiled API routes (unlike page-ssr injectScript which only runs for SSR pages).
+declare const __SETZKASTEN_FULL_CONFIG__: SetzKastenConfig | null | undefined
+
+/**
+ * Resolves the full Setzkasten config.
+ * Reads the Vite build-time constant first; falls back to globalThis for
+ * local dev / test environments where the define is not applied.
+ *
+ * Without the build-time fallback, cold-start Vercel function invocations of
+ * this API route see managedSections={} and offer every adopted section
+ * (including _layout_header / _layout_footer) for re-adoption.
+ */
+export function resolveFullConfig(): SetzKastenConfig | undefined {
+  const buildConfig = typeof __SETZKASTEN_FULL_CONFIG__ !== 'undefined' ? __SETZKASTEN_FULL_CONFIG__ : null
+  return (buildConfig ?? (globalThis as any).__SETZKASTEN_FULL_CONFIG__) as SetzKastenConfig | undefined
+}
 
 /**
  * POST /api/setzkasten/init/scan-page
@@ -21,10 +40,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -35,7 +55,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       projectRoot?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
       return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
     }
@@ -47,7 +67,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     }
 
     // Get current schema to know which sections are already managed + their fields
-    const config = (globalThis as any).__SETZKASTEN_FULL_CONFIG__ as SetzKastenConfig | undefined
+    const config = resolveFullConfig()
     const managedSections = new Map<string, Set<string>>() // key → field keys
     if (config) {
       for (const product of Object.values(config.products)) {

package/src/api-routes/init-scan.ts

@@ -2,6 +2,7 @@ import type { APIRoute } from 'astro'
 import { analyzeProject, type RepoFile } from '@setzkasten-cms/core/init'
 import { findAstroPages, extractSectionImports } from '../init/astro-detector'
 import { analyzeAstroSection } from '../init/astro-section-analyzer-v2'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/init/scan
@@ -16,10 +17,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as { owner: string; repo: string; branch?: string }