@setzkasten-cms/astro-admin 0.8.0 → 1.3.0

package/src/api-routes/section-delete.ts

@@ -1,8 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { removeFromPageConfig } from './section-management'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * DELETE /api/setzkasten/sections
@@ -18,8 +19,11 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -31,7 +35,7 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
@@ -44,7 +48,7 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     const headers = {
@@ -80,6 +84,26 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
+    // Fire content.delete webhooks (fire-and-forget).
+    const { fireWebhooks } = await import('./_webhook-dispatcher.js')
+    const session = parseSession(cookies.get('setzkasten_session')?.value)
+    void fireWebhooks(
+      'content.delete',
+      {
+        website: { id: owner, repo: `${owner}/${repo}`, branch },
+        user: { email: session?.user?.email ?? 'unknown', name: session?.user?.name },
+        commit: { sha: commitResult.sha, message: `Delete ${sectionKey} from ${pageKey}` },
+        files: [{ path: sectionJsonPath }],
+      },
+      request,
+    )
+
     return Response.json({ success: true, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-delete error:', error)

package/src/api-routes/section-duplicate.ts

@@ -1,8 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/duplicate
@@ -18,8 +19,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -31,7 +35,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
@@ -44,7 +48,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     const headers = {
@@ -91,6 +95,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 })
 
+    const { recordPageEdit } = await import('./_pages-meta-store.js')
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey,
+    ).catch(() => {})
+
     return Response.json({ success: true, newKey, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-duplicate error:', error)

package/src/api-routes/section-prepare-copy.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig } from './_storage-config'
+import { resolveStorageConfigForRequest } from './_storage-config'
 import { generateDuplicateKey, duplicateInPageConfig } from './section-management'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/prepare-copy
@@ -13,14 +14,24 @@ import { generateDuplicateKey, duplicateInPageConfig } from './section-managemen
  * The client uses this to update local state + preview draft immediately.
  * Only committed to GitHub when the user presses "Live setzen".
  *
+ * Note: this route intentionally does NOT call recordPageEdit. The
+ * page-recency spec lists it as a "mutating route", but in practice it
+ * only reads and returns — the real GitHub commit happens later in
+ * commit-pending, which records the edit. Bumping the timestamp here
+ * would mark a page as recently-modified even when the user opens the
+ * duplicate dialog and then cancels without committing.
+ *
  * Body: { pageKey, sectionKey, owner?, repo?, branch?, contentPath? }
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -32,7 +43,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch } = storage
 

package/src/api-routes/section-prepare.ts

@@ -1,7 +1,8 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { generateAddKey } from './section-management'
 import { parseSession, guardPageAccess } from './_auth-guard'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/sections/prepare
@@ -20,8 +21,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -33,7 +37,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       contentPath?: string
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch } = storage
 
@@ -46,7 +50,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'pageKey and sectionType are required' }, { status: 400 })
     }
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     // 1. Read current page config from GitHub to determine existing keys

package/src/api-routes/setup-github-app-bounce.ts

@@ -0,0 +1,52 @@
+import type { APIRoute } from 'astro'
+import { getPublicOrigin } from './_vercel-origin.js'
+
+/**
+ * Server-side manifest bounce for the GitHub App Manifest flow.
+ *
+ * GET /api/setzkasten/setup/github-app/bounce?name=my-app
+ *
+ * Generates the GitHub App manifest JSON using the server-known origin,
+ * then returns a minimal HTML page that auto-submits a form to GitHub.
+ */
+export const GET: APIRoute = async ({ url, request }) => {
+  const name = url.searchParams.get('name')?.trim() || 'Setzkasten CMS'
+  const origin = getPublicOrigin(request)
+
+  const manifest = JSON.stringify({
+    name,
+    url: origin,
+    redirect_url: `${origin}/api/setzkasten/setup/github-app/callback`,
+    setup_url: `${origin}/api/setzkasten/setup/github-app/installed`,
+    setup_on_update: false,
+    public: false,
+    default_permissions: { contents: 'write' },
+  })
+
+  const safeManifest = manifest.replace(/&/g, '&').replace(/"/g, '"')
+
+  const html = `<!DOCTYPE html>
+<html lang="de">
+<head>
+  <meta charset="UTF-8">
+  <title>Weiterleitung zu GitHub…</title>
+  <style>
+    body { font-family: sans-serif; display: flex; align-items: center;
+           justify-content: center; height: 100vh; margin: 0;
+           background: #0d1117; color: #e6edf3; }
+    p { opacity: .6; }
+  </style>
+</head>
+<body>
+  <p>Weiterleitung zu GitHub…</p>
+  <form id="f" method="POST" action="https://github.com/settings/apps/new">
+    <input type="hidden" name="manifest" value="${safeManifest}">
+  </form>
+  <script>document.getElementById('f').submit()</script>
+</body>
+</html>`
+
+  return new Response(html, {
+    headers: { 'Content-Type': 'text/html; charset=utf-8' },
+  })
+}

package/src/api-routes/setup-github-app-branches.ts

@@ -0,0 +1,63 @@
+import type { APIRoute } from 'astro'
+import { listRepoBranches } from '@setzkasten-cms/github-adapter'
+import { requireAdmin } from './_auth-guard'
+
+/**
+ * GET /api/setzkasten/setup/github-app/branches?installation=<id>&repo=<owner/repo>
+ *
+ * Returns the list of branches for one repo, fetched via the installation
+ * token of the given installation. Used by the WebsitesView form so the
+ * Branch field becomes a dropdown after the user picks a repo.
+ *
+ * Admin-only — same reasoning as /setup/github-app/repos.
+ */
+export const GET: APIRoute = async ({ cookies, url }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const appId = process.env.GITHUB_APP_ID
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
+  if (!appId || !privateKey) {
+    return new Response(
+      JSON.stringify({
+        error:
+          'GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.',
+      }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  const installationId = url.searchParams.get('installation')
+  const repoFull = url.searchParams.get('repo')
+  if (!installationId || !repoFull) {
+    return new Response(
+      JSON.stringify({ error: 'Both ?installation and ?repo (owner/name) are required.' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  const slash = repoFull.indexOf('/')
+  if (slash <= 0 || slash === repoFull.length - 1) {
+    return new Response(
+      JSON.stringify({ error: '?repo must be in "owner/name" format.' }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+  const owner = repoFull.slice(0, slash)
+  const repo = repoFull.slice(slash + 1)
+
+  const result = await listRepoBranches({ appId, privateKey }, installationId, owner, repo)
+  if (!result.ok) {
+    const status =
+      result.error.type === 'auth' ? 401 : result.error.type === 'not-found' ? 404 : 502
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  return new Response(JSON.stringify({ branches: result.value }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/api-routes/setup-github-app-callback.ts

@@ -0,0 +1,71 @@
+import type { APIRoute } from 'astro'
+import { getPublicOrigin } from './_vercel-origin.js'
+
+const COOKIE_NAME = 'sk_app_setup'
+const COOKIE_MAX_AGE = 600 // 10 minutes
+
+/**
+ * Receives the code from GitHub after a GitHub App Manifest creation.
+ * Exchanges it for the full app credentials (App ID, private key, slug).
+ *
+ * GET /api/setzkasten/setup/github-app/callback?code=xxx
+ *
+ * Note: uses mutable new Response() instead of Response.redirect() —
+ * Response.redirect() is immutable and prevents Astro from appending
+ * the Set-Cookie header (TypeError: immutable).
+ */
+export const GET: APIRoute = async ({ url, request, cookies }) => {
+  const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { adminPath?: string }
+    | undefined
+  const adminPath = config?.adminPath ?? '/admin'
+  const adminUrl = new URL(adminPath, getPublicOrigin(request))
+  const code = url.searchParams.get('code')
+
+  if (!code) {
+    adminUrl.searchParams.set('github-app-error', 'missing_code')
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+  }
+
+  // GitHub returns a lot more than these five fields (permissions,
+  // events, html_url, …) but these are the only ones we persist for
+  // the wizard. `client_id` + `client_secret` since v1.2: the GH-App
+  // doubles as the OAuth provider for admin login, so the Manifest
+  // exchange replaces what was previously a separate OAuth-App that
+  // the user had to create on github.com/settings/developers.
+  let data: {
+    id: number
+    slug: string
+    pem: string
+    client_id: string
+    client_secret: string
+  } | null = null
+  try {
+    const response = await fetch(`https://api.github.com/app-manifests/${code}/conversions`, {
+      method: 'POST',
+      headers: { Accept: 'application/vnd.github.v3+json' },
+      signal: AbortSignal.timeout(8000),
+    })
+    if (!response.ok) throw new Error(`GitHub returned ${response.status}`)
+    data = (await response.json()) as typeof data
+  } catch {
+    adminUrl.searchParams.set('github-app-error', 'exchange_failed')
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+  }
+
+  // Set cookie before constructing the redirect response —
+  // Response.redirect() is immutable and blocks subsequent header writes.
+  cookies.set(
+    COOKIE_NAME,
+    JSON.stringify({
+      appId: String(data!.id),
+      slug: data!.slug,
+      privateKey: data!.pem,
+      clientId: data!.client_id,
+      clientSecret: data!.client_secret,
+    }),
+    { httpOnly: false, sameSite: 'lax', maxAge: COOKIE_MAX_AGE, path: '/' },
+  )
+
+  return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+}

package/src/api-routes/setup-github-app-installed.ts

@@ -0,0 +1,44 @@
+import type { APIRoute } from 'astro'
+import { getPublicOrigin } from './_vercel-origin.js'
+
+const COOKIE_NAME = 'sk_app_setup'
+const COOKIE_MAX_AGE = 600
+
+/**
+ * Receives the installation_id from GitHub after the user installs the App.
+ * Merges it into the existing setup cookie and redirects back to the admin.
+ *
+ * GET /api/setzkasten/setup/github-app/installed?installation_id=xxx
+ *
+ * Note: uses mutable new Response() instead of Response.redirect() —
+ * Response.redirect() is immutable and prevents Astro from appending
+ * the Set-Cookie header (TypeError: immutable).
+ */
+export const GET: APIRoute = async ({ url, request, cookies }) => {
+  const config = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { adminPath?: string }
+    | undefined
+  const adminPath = config?.adminPath ?? '/admin'
+  const adminUrl = new URL(adminPath, getPublicOrigin(request))
+  const installationId = url.searchParams.get('installation_id')
+  const existing = cookies.get(COOKIE_NAME)?.value
+
+  if (!installationId || !existing) {
+    adminUrl.searchParams.set('github-app-error', 'missing_installation')
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+  }
+
+  try {
+    const data = JSON.parse(existing) as Record<string, string>
+    cookies.set(
+      COOKIE_NAME,
+      JSON.stringify({ ...data, installationId }),
+      { httpOnly: false, sameSite: 'lax', maxAge: COOKIE_MAX_AGE, path: '/' },
+    )
+  } catch {
+    adminUrl.searchParams.set('github-app-error', 'invalid_session')
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+  }
+
+  return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
+}

package/src/api-routes/setup-github-app-repos.ts

@@ -0,0 +1,46 @@
+import type { APIRoute } from 'astro'
+import { listAccessibleRepos } from '@setzkasten-cms/github-adapter'
+import { requireAdmin } from './_auth-guard'
+
+/**
+ * GET /api/setzkasten/setup/github-app/repos
+ *
+ * Returns every repository the configured GitHub App can access, flattened
+ * across all installations. Each entry includes the installationId so the
+ * "Neue Website hinzufügen" form can record which installation owns the
+ * repo without a follow-up lookup.
+ *
+ * Admin-only — editors must not be able to enumerate repos across the
+ * organization. The endpoint uses the global App credentials from the env
+ * (GITHUB_APP_ID, GITHUB_APP_PRIVATE_KEY) so the user never has to type them.
+ */
+export const GET: APIRoute = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const appId = process.env.GITHUB_APP_ID
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
+  if (!appId || !privateKey) {
+    return new Response(
+      JSON.stringify({
+        error:
+          'GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.',
+      }),
+      { status: 400, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  const result = await listAccessibleRepos({ appId, privateKey })
+  if (!result.ok) {
+    const status = result.error.type === 'auth' ? 401 : 502
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  return new Response(JSON.stringify({ repos: result.value }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/api-routes/setup-github-app.ts

@@ -0,0 +1,58 @@
+import type { APIRoute } from 'astro'
+import { GitHubAppClient } from '@setzkasten-cms/github-adapter'
+
+/**
+ * Setup-Wizard: GitHub App Integration
+ *
+ * GET  /api/setzkasten/setup/github-app  – Status abfragen
+ * POST /api/setzkasten/setup/github-app  – Verbindung testen
+ *
+ * Credentials werden NICHT persistiert – der Nutzer setzt die env vars manuell.
+ * Der POST-Endpunkt validiert die Verbindung durch einen echten Token-Request.
+ */
+
+export const GET: APIRoute = async () => {
+  const appId = process.env.GITHUB_APP_ID
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY
+  const installationId = process.env.GITHUB_APP_INSTALLATION_ID
+
+  const configured = Boolean(appId && privateKey && installationId)
+
+  return Response.json({ configured, ...(configured ? { appId } : {}) })
+}
+
+export const POST: APIRoute = async ({ request }) => {
+  let body: unknown
+  try {
+    body = await request.json()
+  } catch {
+    return Response.json({ error: 'Invalid JSON body' }, { status: 400 })
+  }
+
+  const { appId, privateKey, installationId } =
+    (body as Record<string, unknown>) ?? {}
+
+  if (!appId || !privateKey || !installationId) {
+    return Response.json(
+      { error: 'appId, privateKey and installationId are required' },
+      { status: 400 },
+    )
+  }
+
+  const client = new GitHubAppClient(
+    {
+      appId: String(appId),
+      privateKey: String(privateKey),
+      installationId: String(installationId),
+    },
+    { owner: '', repo: '', branch: '' },
+  )
+
+  const result = await client.getInstallationToken()
+
+  if (!result.ok) {
+    return Response.json({ ok: false, error: result.error.message }, { status: 400 })
+  }
+
+  return Response.json({ ok: true })
+}

package/src/api-routes/updater-register.ts

@@ -1,5 +1,23 @@
 import type { APIRoute } from 'astro'
 
+// Vite-define injected by @setzkasten-cms/astro at build time. Available
+// in API-only Vercel cold-starts where the page-ssr injectScript that
+// writes globalThis.__SETZKASTEN_CONFIG__ does not fire.
+declare const __SETZKASTEN_BUILD_CONFIG__: {
+  adminPath?: string
+  updaterUrl?: string
+  version?: string
+  websiteUrl?: string
+  hasGitHub?: boolean
+  storage?: {
+    owner?: string
+    repo?: string
+    branch?: string
+    contentPath?: string
+    assetsPath?: string
+  }
+} | null | undefined
+
 /**
  * Registers this Setzkasten instance with the central updater backend.
  * Called on every Dashboard load. Returns update status and license tier.
@@ -8,11 +26,6 @@ import type { APIRoute } from 'astro'
  *
  * Body (optional — for UI activation flow):
  *   { licenseEmail: string, licenseKey: string }
- *
- * Priority for credentials:
- *   1. Config (`setzkasten.config.ts` → license.{email,key}) — always wins if set
- *   2. Request body — UI activation flow, one-time
- *   3. Firebase instance fallback — stored binding from previous activation
  */
 export const POST: APIRoute = async ({ cookies, request }) => {
   const session = cookies.get('setzkasten_session')?.value
@@ -20,16 +33,23 @@ export const POST: APIRoute = async ({ cookies, request }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as {
+  // Two layers: the page-ssr injectScript writes __SETZKASTEN_CONFIG__ on
+  // globalThis (only fires for SSR-rendered pages). The Vite-define
+  // __SETZKASTEN_BUILD_CONFIG__ ships the same shape baked into the bundle
+  // and is therefore visible in API-only Vercel cold-starts where the
+  // injectScript never runs. We prefer the runtime globalThis value (it
+  // can pick up later overrides) but fall back to the build constant.
+  type ConfigShape = {
     updaterUrl?: string
     version?: string
     websiteUrl?: string
     storage?: { owner?: string; repo?: string }
-  } | undefined
-
-  const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__ as {
-    license?: { email?: string; key?: string; telemetryEnabled?: boolean }
-  } | undefined
+  }
+  const buildConfig = (typeof __SETZKASTEN_BUILD_CONFIG__ !== 'undefined'
+    ? __SETZKASTEN_BUILD_CONFIG__
+    : null) as ConfigShape | null
+  const runtimeConfig = (globalThis as any).__SETZKASTEN_CONFIG__ as ConfigShape | undefined
+  const config: ConfigShape | null = runtimeConfig ?? buildConfig
 
   const currentVersion = config?.version ?? '0.0.0'
   const updaterUrl = config?.updaterUrl
@@ -49,25 +69,19 @@ export const POST: APIRoute = async ({ cookies, request }) => {
   const repo = config?.storage?.repo ?? ''
   const repoUrl = owner && repo ? `${owner}/${repo}` : ''
   const websiteUrl = config?.websiteUrl ?? ''
-  const configLicense = fullConfig?.license
 
-  // ── Parse optional UI activation payload ──────────────────────────────
-  let uiEmail: string | undefined
-  let uiKey: string | undefined
+  let licenseEmail: string | undefined
+  let licenseKey: string | undefined
   try {
     if (request.headers.get('content-type')?.includes('application/json')) {
       const parsed = await request.json() as { licenseEmail?: string; licenseKey?: string }
-      uiEmail = parsed.licenseEmail?.trim() || undefined
-      uiKey = parsed.licenseKey?.trim() || undefined
+      licenseEmail = parsed.licenseEmail?.trim() || undefined
+      licenseKey = parsed.licenseKey?.trim() || undefined
     }
   } catch {
-    // Empty / malformed body is fine — treat as no UI input
+    // Empty / malformed body — treat as no UI input
   }
 
-  // Config wins over UI. UI only applies if config has no license.
-  const licenseEmail = configLicense?.email ?? uiEmail
-  const licenseKey = configLicense?.key ?? uiKey
-
   try {
     const response = await fetch(`${updaterUrl}/api/register`, {
       method: 'POST',
@@ -78,7 +92,7 @@ export const POST: APIRoute = async ({ cookies, request }) => {
         currentVersion,
         licenseEmail,
         licenseKey,
-        telemetryEnabled: configLicense?.telemetryEnabled !== false,
+        telemetryEnabled: true,
         managedWebsites: [],
       }),
       signal: AbortSignal.timeout(5000),
@@ -90,8 +104,6 @@ export const POST: APIRoute = async ({ cookies, request }) => {
 
     const data = await response.json() as { firebaseConfig?: { apiKey: string; authDomain: string; projectId: string }; [key: string]: unknown }
 
-    // Pass firebaseConfig through if the Updater returned one (Pro/Enterprise licenses).
-    // Writing to _global_config.json is done explicitly via the GlobalConfigView activation flow.
     return Response.json({ ...data, currentVersion, _firebaseConfig: data.firebaseConfig ?? null })
   } catch {
     return Response.json({