@setzkasten-cms/astro-admin 0.8.0 → 1.1.0

package/src/api-routes/migrate-to-multi.ts

@@ -0,0 +1,255 @@
+import { type WebsiteEntry, canAddWebsite, isMultiModeAvailable } from '@setzkasten-cms/core'
+import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
+import { resolveConfigRepoToken } from './_github-token'
+import { resolveLicenseTier } from './_license-tier'
+import { resolveStorageConfig } from './_storage-config'
+
+/**
+ * POST /api/setzkasten/migrate/to-multi
+ *
+ * Body: { configRepo: 'owner/repo', configInstallationId: string,
+ *         previewOrigin?: string }
+ *
+ * Admin-only. Expects the deployer to have already (1) created the
+ * config repo and (2) installed the GitHub App on it. The endpoint then:
+ *
+ * 1. Reads `_editors.json` and `_global_config.json` from the current
+ *    single-mode website repo.
+ * 2. Writes both files into `<config-repo>/content/`.
+ * 3. Initialises `<config-repo>/websites.json` with a single entry that
+ *    snapshots the current single-mode setup (repo, branch, preview
+ *    origin, App-Installation-ID).
+ *
+ * After a 200 response the deployer still has to update
+ * `setzkasten.config.ts` (kind: 'single' → 'multi') and the ENV
+ * variables and redeploy. The wizard surfaces a copy-ready diff for
+ * those manual steps.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response(JSON.stringify({ error: 'Unauthorized' }), { status: 401 })
+  if (session.user.role !== 'admin')
+    return new Response(JSON.stringify({ error: 'Forbidden' }), { status: 403 })
+
+  const tier = resolveLicenseTier()
+  if (!isMultiModeAvailable(tier)) {
+    return new Response(
+      JSON.stringify({
+        error: 'Multi-Mode ist nur mit Pro- oder Enterprise-Lizenz verfügbar.',
+        tier,
+      }),
+      { status: 402, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  let body: { configRepo?: string; configInstallationId?: string; previewOrigin?: string } = {}
+  try {
+    body = (await request.json()) as typeof body
+  } catch {
+    return new Response(JSON.stringify({ error: 'Invalid JSON body' }), { status: 400 })
+  }
+
+  if (!body.configRepo || typeof body.configRepo !== 'string' || !body.configRepo.includes('/')) {
+    return new Response(JSON.stringify({ error: 'configRepo (owner/repo) ist erforderlich' }), {
+      status: 400,
+    })
+  }
+  if (!body.configInstallationId || typeof body.configInstallationId !== 'string') {
+    return new Response(JSON.stringify({ error: 'configInstallationId ist erforderlich' }), {
+      status: 400,
+    })
+  }
+
+  const fullConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as
+    | { storage?: { kind?: string } }
+    | undefined
+  if (
+    fullConfig?.storage?.kind &&
+    fullConfig.storage.kind !== 'single' &&
+    fullConfig.storage.kind !== 'github-app'
+  ) {
+    return new Response(
+      JSON.stringify({
+        error: `Migration nur aus dem Single-Mode möglich. Aktueller storage.kind: ${fullConfig.storage.kind ?? 'unbekannt'}`,
+      }),
+      { status: 400 },
+    )
+  }
+
+  // We need the source-tier slot just in case the config repo already has
+  // entries — defensively preflight the limit so we never half-migrate.
+  const allowed = canAddWebsite(tier, 0)
+  if (!allowed.ok) {
+    return new Response(JSON.stringify({ error: allowed.reason }), { status: 402 })
+  }
+
+  const sourceStorage = resolveStorageConfig()
+  if (!sourceStorage) {
+    return new Response(
+      JSON.stringify({ error: 'Single-Mode Storage konnte nicht aufgelöst werden' }),
+      { status: 500 },
+    )
+  }
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(JSON.stringify({ error: tokenResult.error.message }), { status: 500 })
+  }
+  const token = tokenResult.value
+
+  const [configOwner, configRepo] = body.configRepo.split('/')
+  if (!configOwner || !configRepo) {
+    return new Response(JSON.stringify({ error: 'configRepo muss "owner/repo" sein' }), {
+      status: 400,
+    })
+  }
+
+  const sourceContentPath: string =
+    (
+      (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+        | { storage?: { contentPath?: string } }
+        | undefined
+    )?.storage?.contentPath ?? 'content'
+
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'Content-Type': 'application/json',
+  }
+
+  const ghBase = (owner: string, repo: string, path: string) =>
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}`
+
+  // 1. Read editors + global from website repo (best-effort — both files
+  //    are optional in single-mode setups).
+  const sourceEditors = await readOptional(
+    ghBase(sourceStorage.owner, sourceStorage.repo, `${sourceContentPath}/_editors.json`),
+    `?ref=${sourceStorage.branch}`,
+    headers,
+  )
+  const sourceGlobal = await readOptional(
+    ghBase(sourceStorage.owner, sourceStorage.repo, `${sourceContentPath}/_global_config.json`),
+    `?ref=${sourceStorage.branch}`,
+    headers,
+  )
+
+  // 2. Write copies into config repo. (Branch defaults to 'main' since the
+  //    user just created the repo; we don't expose a branch override here.)
+  const configBranch = 'main'
+
+  const editorsCommit = sourceEditors
+    ? await putFile(
+        ghBase(configOwner, configRepo, 'content/_editors.json'),
+        sourceEditors,
+        configBranch,
+        'chore(migrate): copy editors from website repo',
+        headers,
+      )
+    : true
+
+  const globalCommit = sourceGlobal
+    ? await putFile(
+        ghBase(configOwner, configRepo, 'content/_global_config.json'),
+        sourceGlobal,
+        configBranch,
+        'chore(migrate): copy global config from website repo',
+        headers,
+      )
+    : true
+
+  // 3. Initialise websites.json with the current setup as the first entry.
+  const previewOrigin = body.previewOrigin ?? process.env.PUBLIC_SITE_URL ?? 'http://localhost:4321'
+
+  const initialEntry: WebsiteEntry = {
+    id: 'main',
+    name: sourceStorage.repo,
+    repo: `${sourceStorage.owner}/${sourceStorage.repo}`,
+    branch: sourceStorage.branch,
+    previewOrigin,
+    githubApp: {
+      appId: process.env.GITHUB_APP_ID ?? '',
+      installationId: process.env.GITHUB_APP_INSTALLATION_ID ?? '',
+    },
+  }
+
+  const websitesContent = JSON.stringify({ websites: [initialEntry] }, null, 2)
+
+  const websitesCommit = await putFile(
+    ghBase(configOwner, configRepo, 'websites.json'),
+    websitesContent,
+    configBranch,
+    'feat(migrate): initialise websites.json with current single-mode setup',
+    headers,
+  )
+
+  return new Response(
+    JSON.stringify({
+      ok: true,
+      committed: {
+        editors: editorsCommit,
+        globalConfig: globalCommit,
+        websites: websitesCommit,
+      },
+      // Echo back the values the user still has to set themselves.
+      manual: {
+        configRepo: body.configRepo,
+        configInstallationId: body.configInstallationId,
+        configBranch,
+        envChanges: {
+          add: {
+            SETZKASTEN_CONFIG_REPO: body.configRepo,
+            SETZKASTEN_CONFIG_BRANCH: configBranch,
+            GITHUB_APP_CONFIG_INSTALLATION_ID: body.configInstallationId,
+          },
+        },
+      },
+    }),
+    { status: 200, headers: { 'Content-Type': 'application/json' } },
+  )
+}
+
+async function readOptional(
+  url: string,
+  qs: string,
+  headers: Record<string, string>,
+): Promise<string | null> {
+  const res = await fetch(url + qs, { headers })
+  if (!res.ok) return null
+  const data = (await res.json()) as { content: string; encoding: string }
+  return data.encoding === 'base64'
+    ? Buffer.from(data.content, 'base64').toString('utf-8')
+    : data.content
+}
+
+async function putFile(
+  url: string,
+  content: string,
+  branch: string,
+  message: string,
+  headers: Record<string, string>,
+): Promise<boolean> {
+  // Read existing SHA so we can update an existing file rather than 422.
+  let sha: string | undefined
+  try {
+    const existing = await fetch(`${url}?ref=${branch}`, { headers })
+    if (existing.ok) {
+      const data = (await existing.json()) as { sha?: string }
+      sha = data.sha
+    }
+  } catch {
+    /* file doesn't exist — fine */
+  }
+
+  const body: Record<string, unknown> = {
+    message: withTrailers(message),
+    content: Buffer.from(content).toString('base64'),
+    branch,
+  }
+  if (sha) body.sha = sha
+
+  const res = await fetch(url, { method: 'PUT', headers, body: JSON.stringify(body) })
+  return res.ok
+}

package/src/api-routes/pages.ts

@@ -1,10 +1,17 @@
 import type { APIRoute } from 'astro'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { readPagesMeta, type PagesMetaTarget } from './_pages-meta-store'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { cachedFetch } from './_github-cache'
 
 interface PageInfo {
   path: string
   pageKey: string
   label: string
   hasConfig: boolean
+  /** Unix-ms timestamp of the page's last Setzkasten-driven commit, when
+   *  `_pages-meta.json` knows about the page. */
+  lastModified?: number
 }
 
 // Build-time constant injected by the Vite define plugin — always available in
@@ -15,6 +22,10 @@ declare const __SETZKASTEN_PAGES__: PageInfo[] | undefined
  * Returns the list of pages scanned at build time.
  * Reads the Vite build-time constant first; falls back to globalThis for
  * local dev / test environments where the define is not applied.
+ *
+ * Only valid in single-mode where the admin and the website share the same
+ * Astro project. Multi-mode has to fetch the page list per website at
+ * runtime (see {@link fetchPagesFromGitHub}).
  */
 export function resolvePages(): PageInfo[] {
   const buildPages = typeof __SETZKASTEN_PAGES__ !== 'undefined' ? __SETZKASTEN_PAGES__ : null
@@ -23,13 +34,116 @@ export function resolvePages(): PageInfo[] {
 
 /**
  * GET /api/setzkasten/pages
- * Returns the list of pages detected at build time.
+ *
+ * Single-mode: returns the build-time scan from the admin's own Astro
+ * project, enriched with `_pages-meta.json` timestamps from the
+ * (single) repo.
+ *
+ * Multi-mode: the X-SK-Website header selects one of the registered
+ * websites. The admin doesn't have build-time access to that website's
+ * `src/pages/` directory, so we fetch it via the GitHub Contents API
+ * (cached for 5 min), then enrich with the per-website
+ * `_pages-meta.json`. Without this branch, every website in Multi-Mode
+ * would see the admin's own page list — typically a single "index"
+ * stub — instead of its real pages.
  */
-export const GET: APIRoute = async () => {
-  const pages = resolvePages()
+export const GET: APIRoute = async ({ request }) => {
+  const isMulti = request.headers.get('x-sk-website') !== null
+  const pages = isMulti
+    ? await fetchPagesFromGitHub(request).catch(() => [])
+    : resolvePages()
 
-  return new Response(JSON.stringify({ pages }), {
+  const enriched = await enrichWithLastModified(pages, request).catch(() => pages)
+
+  return new Response(JSON.stringify({ pages: enriched }), {
     status: 200,
     headers: { 'Content-Type': 'application/json' },
   })
 }
+
+interface ContentsApiEntry {
+  type: 'file' | 'dir' | 'symlink' | 'submodule'
+  name: string
+  path: string
+}
+
+/**
+ * Lists the website's `src/pages/` directory via the GitHub Contents API
+ * and turns it into PageInfo entries. Only top-level `.astro` files
+ * (excluding `_layout.astro` and other underscore-prefixed privates and
+ * dynamic `[slug].astro` routes) become editable pages.
+ *
+ * Cached for 5 minutes per (owner, repo, branch) — the page list is a
+ * structural change that rarely happens during a normal editing session.
+ */
+async function fetchPagesFromGitHub(request: Request): Promise<PageInfo[]> {
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) return []
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return []
+
+  const { owner, repo, branch } = storage
+  const cacheKey = `pages-list:${owner}/${repo}:${branch}`
+  return cachedFetch(cacheKey, 5 * 60_000, async () => {
+    const url = `https://api.github.com/repos/${owner}/${repo}/contents/src/pages?ref=${branch}`
+    const res = await fetch(url, {
+      headers: {
+        Authorization: `Bearer ${tokenResult.value}`,
+        Accept: 'application/vnd.github+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+    if (!res.ok) return []
+    const entries = (await res.json()) as ContentsApiEntry[]
+    if (!Array.isArray(entries)) return []
+
+    const pages: PageInfo[] = []
+    for (const entry of entries) {
+      if (entry.type !== 'file') continue
+      if (!entry.name.endsWith('.astro')) continue
+      // Skip privates (_layout.astro etc.) and dynamic routes ([slug].astro).
+      if (entry.name.startsWith('_') || entry.name.startsWith('[')) continue
+      const pageKey = entry.name.slice(0, -'.astro'.length)
+      pages.push({
+        path: entry.path,
+        pageKey,
+        label: pageKey === 'index' ? 'Startseite' : pageKey,
+        hasConfig: true,
+      })
+    }
+    return pages
+  })
+}
+
+async function enrichWithLastModified(
+  pages: PageInfo[],
+  request: Request,
+): Promise<PageInfo[]> {
+  if (pages.length === 0) return pages
+
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) return pages
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return pages
+
+  const serverConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { storage?: { contentPath?: string } }
+    | undefined
+  const target: PagesMetaTarget = {
+    owner: storage.owner,
+    repo: storage.repo,
+    branch: storage.branch,
+    contentPath: serverConfig?.storage?.contentPath ?? 'content',
+    token: tokenResult.value,
+  }
+
+  const meta = await readPagesMeta(target)
+  if (!meta.ok) return pages
+
+  return pages.map((p) => {
+    const ts = meta.value.meta.pages[p.pageKey]?.lastModified
+    return ts !== undefined ? { ...p, lastModified: ts } : p
+  })
+}

package/src/api-routes/section-add.ts

@@ -1,8 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { generateAddKey, addToPageConfig } from './section-management'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/add
@@ -21,8 +22,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -36,7 +40,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
@@ -49,7 +53,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionType are required' }, { status: 400 })
     }
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     const headers = {
@@ -111,6 +115,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, newKey, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-add error:', error)

package/src/api-routes/section-commit-pending.ts

@@ -1,9 +1,10 @@
 import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
-import { resolveStorageConfig } from './_storage-config'
+import { resolveStorageConfigForRequest } from './_storage-config'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/commit-pending
@@ -22,8 +23,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -37,7 +41,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch } = storage
 
@@ -50,7 +54,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey, pageConfig, and sections are required' }, { status: 400 })
     }
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     const headers = {
@@ -106,6 +110,15 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       )
     }
 
+    // Best-effort recency tracking. Metadata write must not derail the
+    // primary save — surface failures via the trailing return only.
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    const metaContentPath: string = serverConfig?.storage?.contentPath ?? 'content'
+    await recordPageEdit(
+      { owner, repo, branch, contentPath: metaContentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-commit-pending error:', error)

package/src/api-routes/section-delete.ts

@@ -1,8 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { removeFromPageConfig } from './section-management'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * DELETE /api/setzkasten/sections
@@ -18,8 +19,11 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -31,7 +35,7 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
@@ -44,7 +48,7 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     const headers = {
@@ -80,6 +84,12 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-delete error:', error)

package/src/api-routes/section-duplicate.ts

@@ -1,8 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/duplicate
@@ -18,8 +19,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -31,7 +35,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
@@ -44,7 +48,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     const headers = {
@@ -91,6 +95,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, newKey, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-duplicate error:', error)

package/src/api-routes/section-prepare-copy.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig } from './_storage-config'
+import { resolveStorageConfigForRequest } from './_storage-config'
 import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/prepare-copy
@@ -13,14 +14,24 @@ import { generateDuplicateKey, duplicateInPageConfig } from './section-managemen
  * The client uses this to update local state + preview draft immediately.
  * Only committed to GitHub when the user presses "Live setzen".
  *
+ * Note: this route intentionally does NOT call recordPageEdit. The
+ * page-recency spec lists it as a "mutating route", but in practice it
+ * only reads and returns — the real GitHub commit happens later in
+ * commit-pending, which records the edit. Bumping the timestamp here
+ * would mark a page as recently-modified even when the user opens the
+ * duplicate dialog and then cancels without committing.
+ *
  * Body: { pageKey, sectionKey, owner?, repo?, branch?, contentPath? }
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -32,7 +43,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch } = storage