@setzkasten-cms/astro-admin 0.8.0 → 1.3.0

package/src/api-routes/updater-transfer.ts

@@ -3,6 +3,7 @@ import { createHash } from 'node:crypto'
 
 /**
  * Transfer a license to the current Setzkasten instance.
+ * The backend identifies the license by instanceId (computed from repoUrl + websiteUrl).
  *
  * POST /api/setzkasten/updater/transfer
  */
@@ -18,26 +19,16 @@ export const POST: APIRoute = async ({ cookies }) => {
     storage?: { owner?: string; repo?: string }
   } | undefined
 
-  const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__ as {
-    license?: { email?: string; key?: string }
-  } | undefined
-
   const updaterUrl = config?.updaterUrl
   if (!updaterUrl) {
     return Response.json({ error: 'Updater not configured' }, { status: 400 })
   }
 
-  const license = fullConfig?.license
-  if (!license?.key || !license?.email) {
-    return Response.json({ error: 'No license configured' }, { status: 400 })
-  }
-
   const owner = config?.storage?.owner ?? ''
   const repo = config?.storage?.repo ?? ''
   const repoUrl = owner && repo ? `${owner}/${repo}` : ''
   const websiteUrl = config?.websiteUrl ?? ''
 
-  // Compute deterministic instanceId (same as backend register)
   const raw = (repoUrl || 'unknown') + '|' + (websiteUrl || 'unknown')
   const instanceId = createHash('sha256').update(raw).digest('hex').slice(0, 32)
 
@@ -46,8 +37,6 @@ export const POST: APIRoute = async ({ cookies }) => {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({
-        licenseKey: license.key,
-        licenseEmail: license.email,
         toInstanceId: instanceId,
         toWebsiteUrl: websiteUrl,
       }),

package/src/api-routes/webhooks-status.ts

@@ -0,0 +1,17 @@
+import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
+import { getWebhookStatus } from './_webhook-status-store'
+
+/**
+ * GET /api/setzkasten/webhooks/status
+ *
+ * Returns the in-memory status map (lastFiredAt + lastStatus per webhook
+ * id). Empty for cold-started instances; the UI handles that gracefully
+ * with "noch nie gefeuert".
+ */
+export const GET: APIRoute = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  return Response.json({ status: getWebhookStatus() })
+}

package/src/api-routes/webhooks-test.ts

@@ -0,0 +1,134 @@
+import type { APIRoute } from 'astro'
+import {
+  parseWebhooksFile,
+  type WebhookConfig,
+  type WebhookPayload,
+} from '@setzkasten-cms/core'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { parseSession, requireAdmin } from './_auth-guard'
+import { gateFeature } from './_feature-gate'
+import { recordWebhookFire } from './_webhook-status-store'
+import { signPayload } from './_webhook-signing'
+
+const WEBHOOKS_FILE = (contentPath: string) => `${contentPath}/_webhooks.json`
+const TEST_TIMEOUT_MS = 10_000
+
+/**
+ * POST /api/setzkasten/webhooks/test
+ * Body: { id: string }
+ *
+ * Fires a synthetic test payload at the configured URL and returns
+ * { ok, status, latencyMs }. Admin-only, Pro-gated. Used by the UI
+ * "Test-Fire"-Button to verify a webhook config end-to-end.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const gate = gateFeature('webhooks')
+  if (gate) return gate
+
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+
+  let body: { id?: string }
+  try {
+    body = (await request.json()) as { id?: string }
+  } catch {
+    return Response.json({ error: 'Invalid JSON' }, { status: 400 })
+  }
+  if (!body.id) {
+    return Response.json({ error: 'id is required' }, { status: 400 })
+  }
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 })
+
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) {
+    return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
+  }
+  const { owner, repo, branch } = storage
+
+  const serverConfig = (globalThis as {
+    __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } }
+  }).__SETZKASTEN_CONFIG__
+  const contentPath = serverConfig?.storage?.contentPath ?? 'content'
+
+  // Read webhooks file directly (no cache — we want the freshly-saved value)
+  const fileRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${WEBHOOKS_FILE(contentPath)}?ref=${branch}`,
+    {
+      headers: {
+        Authorization: `Bearer ${tokenResult.value}`,
+        Accept: 'application/vnd.github+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    },
+  )
+  if (fileRes.status === 404) {
+    return Response.json({ error: 'No webhooks configured' }, { status: 404 })
+  }
+  if (!fileRes.ok) {
+    return Response.json({ error: 'Could not read webhooks file' }, { status: 502 })
+  }
+  const data = (await fileRes.json()) as { content: string; encoding: string }
+  const raw =
+    data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  const parsed = parseWebhooksFile(raw)
+  if (!parsed.ok) {
+    return Response.json({ error: 'Webhooks file is malformed' }, { status: 502 })
+  }
+
+  const target: WebhookConfig | undefined = parsed.value.webhooks.find((w) => w.id === body.id)
+  if (!target) {
+    return Response.json({ error: `Webhook "${body.id}" not found` }, { status: 404 })
+  }
+
+  // Build test payload — flagged as a test so receivers can ignore it
+  const payload: WebhookPayload & { test: boolean } = {
+    event: 'content.save',
+    timestamp: new Date().toISOString(),
+    website: { id: owner, repo: `${owner}/${repo}`, branch },
+    user: { email: session.user.email, name: session.user.name },
+    commit: { sha: '0'.repeat(40), message: 'test webhook fire' },
+    files: [],
+    test: true,
+  }
+  const payloadBody = JSON.stringify(payload)
+
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+    'X-Setzkasten-Event': 'content.save',
+    'X-Setzkasten-Delivery': crypto.randomUUID(),
+    'X-Setzkasten-Test': 'true',
+  }
+  if (target.secret) {
+    headers['X-Setzkasten-Signature'] = `sha256=${signPayload(payloadBody, target.secret)}`
+  }
+
+  const startedAt = Date.now()
+  try {
+    const res = await fetch(target.url, {
+      method: 'POST',
+      headers,
+      body: payloadBody,
+      signal: AbortSignal.timeout(TEST_TIMEOUT_MS),
+    })
+    const latencyMs = Date.now() - startedAt
+    recordWebhookFire(target.id, res.status)
+    return Response.json({ ok: res.ok, status: res.status, latencyMs })
+  } catch (err) {
+    const latencyMs = Date.now() - startedAt
+    recordWebhookFire(target.id, 'error')
+    return Response.json({
+      ok: false,
+      status: 'error',
+      latencyMs,
+      error: err instanceof Error ? err.message : 'Unknown error',
+    })
+  }
+}

package/src/api-routes/webhooks.ts

@@ -0,0 +1,163 @@
+import type { APIRoute } from 'astro'
+import {
+  parseWebhooksFile,
+  validateWebhookConfig,
+  type WebhookConfig,
+} from '@setzkasten-cms/core'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { parseSession, requireAdmin } from './_auth-guard'
+import { cachedFetch, invalidateCache } from './_github-cache'
+import { withTrailers } from './_commit-trailers'
+import { gateFeature } from './_feature-gate'
+
+const WEBHOOKS_FILE = (contentPath: string) => `${contentPath}/_webhooks.json`
+
+// ---------------------------------------------------------------------------
+// GET /api/setzkasten/webhooks — list (admin only, cached 60s)
+// ---------------------------------------------------------------------------
+
+export const GET: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 })
+
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) {
+    return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
+  }
+  const { owner, repo, branch } = storage
+  const contentPath = resolveContentPath()
+
+  const cacheKey = `webhooks:${owner}/${repo}:${branch}`
+  const webhooks = await cachedFetch(cacheKey, 60_000, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${WEBHOOKS_FILE(contentPath)}?ref=${branch}`,
+      {
+        headers: {
+          Authorization: `Bearer ${tokenResult.value}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
+    )
+    if (res.status === 404) return [] as readonly WebhookConfig[]
+    if (!res.ok) return null
+    const data = (await res.json()) as { content: string; encoding: string }
+    const raw =
+      data.encoding === 'base64'
+        ? Buffer.from(data.content, 'base64').toString('utf-8')
+        : data.content
+    const parsed = parseWebhooksFile(raw)
+    return parsed.ok ? parsed.value.webhooks : null
+  })
+
+  if (webhooks === null) {
+    return Response.json({ error: 'Could not read webhooks file' }, { status: 502 })
+  }
+  return Response.json({ webhooks })
+}
+
+// ---------------------------------------------------------------------------
+// PUT /api/setzkasten/webhooks — replace whole list (admin + Pro-gated)
+// ---------------------------------------------------------------------------
+
+export const PUT: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const gate = gateFeature('webhooks')
+  if (gate) return gate
+
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+
+  let body: { webhooks?: unknown }
+  try {
+    body = (await request.json()) as { webhooks?: unknown }
+  } catch {
+    return Response.json({ error: 'Invalid JSON' }, { status: 400 })
+  }
+  if (!Array.isArray(body.webhooks)) {
+    return Response.json({ error: 'webhooks must be an array' }, { status: 400 })
+  }
+
+  const validated: WebhookConfig[] = []
+  const seenIds = new Set<string>()
+  for (let i = 0; i < body.webhooks.length; i++) {
+    const result = validateWebhookConfig(body.webhooks[i])
+    if (!result.ok) {
+      return Response.json(
+        { error: result.error.message, index: i },
+        { status: 400 },
+      )
+    }
+    if (seenIds.has(result.value.id)) {
+      return Response.json(
+        { error: `Duplicate webhook id: ${result.value.id}`, index: i },
+        { status: 400 },
+      )
+    }
+    seenIds.add(result.value.id)
+    validated.push(result.value)
+  }
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 })
+
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) {
+    return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
+  }
+  const { owner, repo, branch } = storage
+  const contentPath = resolveContentPath()
+  const filePath = WEBHOOKS_FILE(contentPath)
+
+  const headers = {
+    Authorization: `Bearer ${tokenResult.value}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'Content-Type': 'application/json',
+  }
+
+  // Read current SHA for in-place updates
+  let currentSha: string | null = null
+  const existingRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}?ref=${branch}`,
+    { headers },
+  )
+  if (existingRes.ok) {
+    const data = (await existingRes.json()) as { sha: string }
+    currentSha = data.sha
+  }
+
+  const fileBody = JSON.stringify({ version: 1, webhooks: validated }, null, 2)
+  const putBody: Record<string, unknown> = {
+    message: withTrailers('chore(webhooks): update webhook configuration', session.user.email),
+    content: Buffer.from(fileBody).toString('base64'),
+    branch,
+  }
+  if (currentSha) putBody.sha = currentSha
+
+  const putRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
+    { method: 'PUT', headers, body: JSON.stringify(putBody) },
+  )
+
+  if (!putRes.ok) {
+    const text = await putRes.text()
+    return Response.json({ error: `Webhook write failed: ${text}` }, { status: 502 })
+  }
+
+  invalidateCache(`webhooks:${owner}/${repo}:${branch}`)
+  return Response.json({ ok: true, webhooks: validated })
+}
+
+function resolveContentPath(): string {
+  const serverConfig = (globalThis as {
+    __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } }
+  }).__SETZKASTEN_CONFIG__
+  return serverConfig?.storage?.contentPath ?? 'content'
+}

package/src/api-routes/websites-add.ts

@@ -0,0 +1,113 @@
+import {
+  type WebsiteEntry,
+  addWebsiteToRegistry,
+  canAddWebsite,
+  parseWebsitesRegistry,
+} from '@setzkasten-cms/core'
+import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
+import { resolveConfigRepoToken } from './_github-token'
+import { resolveLicenseTier } from './_license-tier'
+import {
+  readWebsitesRegistryFromGitHub,
+  resolveConfigRepoTargetFromGlobals,
+  writeWebsitesRegistryToGitHub,
+} from './_websites-store'
+
+/**
+ * POST /api/setzkasten/websites/add
+ *
+ * Body: { entry: WebsiteEntry }
+ *
+ * Reads the current websites.json from the config-repo, adds the entry
+ * (validated via parseWebsitesRegistry to share one truth on what makes
+ * a valid WebsiteEntry), and commits the new file back via the GitHub
+ * Contents API.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  let parsed: { entry?: WebsiteEntry } = {}
+  try {
+    parsed = (await request.json()) as { entry?: WebsiteEntry }
+  } catch {
+    return new Response(JSON.stringify({ error: 'Invalid JSON body' }), { status: 400 })
+  }
+  if (!parsed.entry || typeof parsed.entry !== 'object') {
+    return new Response(JSON.stringify({ error: 'Missing "entry" in body' }), { status: 400 })
+  }
+
+  // The form leaves githubApp.appId blank when the user wants to fall back
+  // to GITHUB_APP_ID from the env. Inject it before validation so the
+  // registry sees a complete entry. The App-ID itself is not sensitive
+  // (it's public on every App's settings page on github.com), so writing
+  // it into websites.json is fine — but doing it server-side keeps the
+  // client form simpler.
+  const entry = parsed.entry as unknown as {
+    githubApp?: { appId?: string; installationId?: string }
+  }
+  if (entry.githubApp && !entry.githubApp.appId) {
+    const envAppId = process.env.GITHUB_APP_ID
+    if (envAppId) entry.githubApp.appId = envAppId
+  }
+
+  // Reuse parseWebsitesRegistry's per-entry validation by stuffing the new
+  // entry into a one-element registry — same rules everywhere.
+  const validation = parseWebsitesRegistry(JSON.stringify({ websites: [parsed.entry] }))
+  if (!validation.ok) {
+    return new Response(JSON.stringify({ error: validation.error.message }), { status: 400 })
+  }
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(JSON.stringify({ error: tokenResult.error.message }), { status: 500 })
+  }
+
+  const target = resolveConfigRepoTargetFromGlobals(tokenResult.value)
+  if (!target) {
+    return new Response(
+      JSON.stringify({
+        error: 'Multi-mode storage not configured (storage.kind must be "multi").',
+      }),
+      { status: 400 },
+    )
+  }
+
+  const current = await readWebsitesRegistryFromGitHub(target)
+  if (!current.ok) {
+    return new Response(JSON.stringify({ error: current.error.message }), { status: 502 })
+  }
+
+  // License gate: enforce the per-tier website limit before mutating GitHub.
+  // 402 Payment Required is the most accurate code here — the registry would
+  // accept the entry, only the license disagrees.
+  const tier = resolveLicenseTier()
+  const allowed = canAddWebsite(tier, current.value.registry.websites.length)
+  if (!allowed.ok) {
+    return new Response(
+      JSON.stringify({ error: allowed.reason, tier: allowed.tier, limit: allowed.limit }),
+      { status: 402, headers: { 'Content-Type': 'application/json' } },
+    )
+  }
+
+  const merged = addWebsiteToRegistry(current.value.registry, parsed.entry)
+  if (!merged.ok) {
+    return new Response(JSON.stringify({ error: merged.error.message }), { status: 409 })
+  }
+
+  const written = await writeWebsitesRegistryToGitHub(
+    target,
+    merged.value,
+    current.value.sha,
+    `feat(websites): add "${parsed.entry.id}" to registry`,
+  )
+  if (!written.ok) {
+    return new Response(JSON.stringify({ error: written.error.message }), { status: 502 })
+  }
+
+  return new Response(JSON.stringify({ ok: true, websites: merged.value.websites }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/api-routes/websites-list.ts

@@ -0,0 +1,40 @@
+import type { APIRoute } from 'astro'
+import { listAllWebsites } from './_website-resolver.js'
+
+/**
+ * GET /api/setzkasten/websites
+ *
+ * Returns the list of managed websites visible to the admin SPA.
+ * Strips private fields (`githubApp` installation refs, `allowedEmails`)
+ * — the client only needs ids/names/repos for the switcher.
+ */
+export const GET: APIRoute = async ({ cookies }) => {
+  const session = cookies.get('setzkasten_session')?.value
+  if (!session) {
+    return new Response(JSON.stringify({ authenticated: false }), {
+      status: 401,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  const result = await listAllWebsites()
+  if (!result.ok) {
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status: 500,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  }
+
+  const websites = result.value.map((entry) => ({
+    id: entry.id,
+    name: entry.name,
+    repo: entry.repo,
+    branch: entry.branch,
+    previewOrigin: entry.previewOrigin,
+  }))
+
+  return new Response(JSON.stringify({ websites }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/api-routes/websites-remove.ts

@@ -0,0 +1,74 @@
+import { removeWebsiteFromRegistry } from '@setzkasten-cms/core'
+import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
+import { resolveConfigRepoToken } from './_github-token'
+import {
+  readWebsitesRegistryFromGitHub,
+  resolveConfigRepoTargetFromGlobals,
+  writeWebsitesRegistryToGitHub,
+} from './_websites-store'
+
+/**
+ * POST /api/setzkasten/websites/remove
+ *
+ * Body: { id: string }
+ *
+ * Drops the matching entry from websites.json and commits the new file.
+ * Admin-only — editors must not be able to detach websites from the
+ * registry. Returns 404 when the id is not present, 502 when GitHub I/O
+ * fails.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  let body: { id?: string } = {}
+  try {
+    body = (await request.json()) as { id?: string }
+  } catch {
+    return new Response(JSON.stringify({ error: 'Invalid JSON body' }), { status: 400 })
+  }
+  if (!body.id || typeof body.id !== 'string') {
+    return new Response(JSON.stringify({ error: 'Missing "id" in body' }), { status: 400 })
+  }
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(JSON.stringify({ error: tokenResult.error.message }), { status: 500 })
+  }
+
+  const target = resolveConfigRepoTargetFromGlobals(tokenResult.value)
+  if (!target) {
+    return new Response(
+      JSON.stringify({
+        error: 'Multi-mode storage not configured (storage.kind must be "multi").',
+      }),
+      { status: 400 },
+    )
+  }
+
+  const current = await readWebsitesRegistryFromGitHub(target)
+  if (!current.ok) {
+    return new Response(JSON.stringify({ error: current.error.message }), { status: 502 })
+  }
+
+  const next = removeWebsiteFromRegistry(current.value.registry, body.id)
+  if (!next.ok) {
+    return new Response(JSON.stringify({ error: next.error.message }), { status: 404 })
+  }
+
+  const written = await writeWebsitesRegistryToGitHub(
+    target,
+    next.value,
+    current.value.sha,
+    `chore(websites): remove "${body.id}" from registry`,
+  )
+  if (!written.ok) {
+    return new Response(JSON.stringify({ error: written.error.message }), { status: 502 })
+  }
+
+  return new Response(JSON.stringify({ ok: true, websites: next.value.websites }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}

package/src/init/__tests__/patcher-edge-cases.test.ts

@@ -25,9 +25,42 @@
  */
 
 import { describe, it, expect } from 'vitest'
-import { patchTemplateForFields, stripTemplateFallbacks } from '../../init/template-patcher-v2'
+import { patchTemplateForFields, stripTemplateFallbacks, convertToSetHtml } from '../../init/template-patcher-v2'
 import type { PatchField } from '../../init/template-patcher-v2'
 
+// ---------------------------------------------------------------------------
+// convertToSetHtml: auto-upgrade `<tag>{x?.field}</tag>` → `<tag set:html=…>`
+// when the inline RTE introduces HTML markup. Regression: previously the
+// regex only matched skData?.field / item.field, missing hand-rolled section
+// components (apps/website/...) that destructure `data` from Astro.props.
+// ---------------------------------------------------------------------------
+
+describe('convertToSetHtml — variable-name flexibility', () => {
+  it('converts data?.field bindings (Astro.props destructure pattern)', () => {
+    const source = `<h2 data-sk-field="how.heading">{data?.heading}</h2>`
+    expect(convertToSetHtml(source)).toBe(
+      `<h2 data-sk-field="how.heading" set:html={data?.heading}></h2>`,
+    )
+  })
+
+  it('still converts skData?.field bindings (canonical pattern)', () => {
+    const source = `<h2 data-sk-field="how.heading">{skData?.heading}</h2>`
+    expect(convertToSetHtml(source)).toBe(
+      `<h2 data-sk-field="how.heading" set:html={skData?.heading}></h2>`,
+    )
+  })
+
+  it('is idempotent — already-converted templates pass through unchanged', () => {
+    const source = `<h2 data-sk-field="how.heading" set:html={data?.heading}></h2>`
+    expect(convertToSetHtml(source)).toBe(source)
+  })
+
+  it('leaves data-sk-field elements with non-binding content alone', () => {
+    const source = `<h2 data-sk-field="how.heading">Static</h2>`
+    expect(convertToSetHtml(source)).toBe(source)
+  })
+})
+
 // ---------------------------------------------------------------------------
 // Edge Case 1: UTF-8 / multi-byte characters
 //