@setzkasten-cms/astro-admin 0.8.0 → 1.3.0

package/src/api-routes/__tests__/history-rollback.test.ts

@@ -0,0 +1,196 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+const ADMIN_SESSION = JSON.stringify({
+  user: { id: 'u1', email: 'admin@example.com', role: 'admin', provider: 'github' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+const EDITOR_SESSION = JSON.stringify({
+  user: { id: 'u2', email: 'editor@example.com', role: 'editor', provider: 'google' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+function makeCtx(body: unknown, sessionValue: string | null = ADMIN_SESSION) {
+  const request = new Request('https://cms.example.com/api/setzkasten/history/rollback', {
+    method: 'POST',
+    body: JSON.stringify(body),
+    headers: { 'content-type': 'application/json' },
+  })
+  return {
+    request,
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionValue ? { value: sessionValue } : undefined,
+      ),
+    },
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_ID', '1')
+  vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '111')
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+  vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAAAAAA-BBBBBBBB-CCCCCCCC')
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+    kind: 'github-app',
+    repo: 'acme/site',
+    branch: 'main',
+    appId: '1',
+    installationId: '111',
+  }
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+    storage: {
+      kind: 'github-app',
+      repo: 'acme/site',
+      branch: 'main',
+      appId: '1',
+      installationId: '111',
+    },
+  }
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+})
+
+const ROLLBACK_PATH = 'content/sections/hero.json'
+const TARGET_SHA = 'b'.repeat(40)
+const HEAD_SHA_FILE = 'c'.repeat(40)
+
+describe('POST /api/setzkasten/history/rollback', () => {
+  it('returns 401 without a session', async () => {
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: ROLLBACK_PATH, sha: TARGET_SHA }, null),
+    )
+    expect(res.status).toBe(401)
+  })
+
+  it('returns 403 for editor session', async () => {
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: ROLLBACK_PATH, sha: TARGET_SHA }, EDITOR_SESSION),
+    )
+    expect(res.status).toBe(403)
+  })
+
+  it('returns 400 when path or sha missing', async () => {
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({ path: ROLLBACK_PATH }))
+    expect(res.status).toBe(400)
+  })
+
+  it('writes a new commit with the historical content', async () => {
+    const calls: string[] = []
+    const fetchMock = vi.fn(async (url: string | URL, init?: RequestInit) => {
+      const u = url instanceof URL ? url : new URL(url)
+      calls.push(`${init?.method ?? 'GET'} ${u.pathname}${u.search}`)
+      if (u.pathname.endsWith('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      // Read at target sha
+      if (u.search.includes(`ref=${TARGET_SHA}`)) {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({
+            content: Buffer.from('{"heading":"old"}').toString('base64'),
+            encoding: 'base64',
+            sha: 'old-blob',
+          }),
+        } as Response
+      }
+      // Read HEAD blob sha
+      if (u.search.includes('ref=main') && (init?.method ?? 'GET') === 'GET') {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({ sha: HEAD_SHA_FILE }),
+        } as Response
+      }
+      // PUT new commit
+      if (init?.method === 'PUT' && u.pathname.includes('/contents/')) {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({ commit: { sha: 'd'.repeat(40) } }),
+        } as Response
+      }
+      throw new Error(`unexpected URL: ${u.toString()}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: ROLLBACK_PATH, sha: TARGET_SHA }),
+    )
+    expect(res.status).toBe(200)
+    const body = await res.json()
+    expect(body.ok).toBe(true)
+    expect(body.commitSha).toBe('d'.repeat(40))
+    expect(calls.some((c) => c.startsWith('PUT'))).toBe(true)
+  })
+
+  it('returns 409 when expectedHeadSha does not match current HEAD', async () => {
+    const fetchMock = vi.fn(async (url: string | URL) => {
+      const u = url instanceof URL ? url : new URL(url)
+      if (u.pathname.endsWith('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      if (u.search.includes(`ref=${TARGET_SHA}`)) {
+        return {
+          ok: true,
+          status: 200,
+          json: async () => ({
+            content: Buffer.from('{"heading":"old"}').toString('base64'),
+            encoding: 'base64',
+            sha: 'old-blob',
+          }),
+        } as Response
+      }
+      // HEAD has SHA "moved-on" but client expected "expected"
+      return {
+        ok: true,
+        status: 200,
+        json: async () => ({ sha: 'moved-on-since-page-load' }),
+      } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../history-rollback')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({
+        path: ROLLBACK_PATH,
+        sha: TARGET_SHA,
+        expectedHeadSha: 'something-else-entirely',
+      }),
+    )
+    expect(res.status).toBe(409)
+    const body = await res.json()
+    expect(body.code).toBe('head-moved')
+  })
+})

package/src/api-routes/__tests__/history.test.ts

@@ -0,0 +1,168 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+const ADMIN_SESSION = JSON.stringify({
+  user: { id: 'u1', email: 'admin@example.com', role: 'admin', provider: 'github' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+const EDITOR_SESSION = JSON.stringify({
+  user: { id: 'u2', email: 'editor@example.com', role: 'editor', provider: 'google' },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+function makeCtx(searchParams: Record<string, string>, sessionValue: string | null = ADMIN_SESSION) {
+  const url = new URL('https://cms.example.com/api/setzkasten/history')
+  for (const [k, v] of Object.entries(searchParams)) url.searchParams.set(k, v)
+  const request = new Request(url, { method: 'GET' })
+  return {
+    request,
+    url,
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionValue ? { value: sessionValue } : undefined,
+      ),
+    },
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_ID', '1')
+  vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '111')
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+  vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAAAAAA-BBBBBBBB-CCCCCCCC')
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+    kind: 'github-app',
+    repo: 'acme/site',
+    branch: 'main',
+    appId: '1',
+    installationId: '111',
+  }
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+    storage: {
+      kind: 'github-app',
+      repo: 'acme/site',
+      branch: 'main',
+      appId: '1',
+      installationId: '111',
+    },
+  }
+  // Reset history cache between tests so cachedFetch doesn't pollute state.
+  return import('../_github-cache').then((m) => {
+    // We don't know the keys, but the cache is keyed by route+args; tests
+    // pick fresh paths, so old entries simply expire. No reset API exposed.
+    void m
+  })
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+})
+
+const SAMPLE_COMMIT = {
+  sha: 'a'.repeat(40),
+  commit: {
+    author: { name: 'Maria', email: 'maria@example.com', date: '2026-05-01T12:00:00Z' },
+    message: `Update hero\n\nCo-authored-by: Editor <editor@example.com>`,
+  },
+  author: { avatar_url: 'https://avatars.example.com/maria.png' },
+}
+
+describe('GET /api/setzkasten/history', () => {
+  it('returns 401 without a session', async () => {
+    const { GET } = await import('../history')
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: 'content/sections/hero.json' }, null),
+    )
+    expect(res.status).toBe(401)
+  })
+
+  it('returns 403 for editor (admin-only)', async () => {
+    const { GET } = await import('../history')
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: 'content/sections/hero.json' }, EDITOR_SESSION),
+    )
+    expect(res.status).toBe(403)
+  })
+
+  it('returns 400 when path is missing', async () => {
+    const { GET } = await import('../history')
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(makeCtx({}))
+    expect(res.status).toBe(400)
+  })
+
+  it('returns parsed commits with co-authors and short sha', async () => {
+    const fetchMock = vi.fn(async (url: string | URL) => {
+      const u = url instanceof URL ? url : new URL(url)
+      if (u.pathname.endsWith('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      if (u.pathname.endsWith('/commits')) {
+        return { ok: true, status: 200, json: async () => [SAMPLE_COMMIT] } as Response
+      }
+      throw new Error(`unexpected URL: ${u.toString()}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { GET } = await import('../history')
+    // Use a fresh path each time to avoid cache hits from earlier tests
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: 'content/sections/hero-' + Date.now() + '.json' }),
+    )
+    expect(res.status).toBe(200)
+    const body = await res.json()
+    expect(body.commits).toHaveLength(1)
+    expect(body.commits[0]).toMatchObject({
+      sha: 'a'.repeat(40),
+      shortSha: 'aaaaaaa',
+      authorName: 'Maria',
+      authorEmail: 'maria@example.com',
+      message: 'Update hero',
+    })
+    expect(body.commits[0].coAuthors).toEqual([
+      { name: 'Editor', email: 'editor@example.com' },
+    ])
+  })
+
+  it('returns empty list when GitHub returns 404 for the path', async () => {
+    const fetchMock = vi.fn(async (url: string | URL) => {
+      const u = url instanceof URL ? url : new URL(url)
+      if (u.pathname.endsWith('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      return { ok: false, status: 404, json: async () => ({}) } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { GET } = await import('../history')
+    const res = await (GET as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ path: 'content/sections/missing-' + Date.now() + '.json' }),
+    )
+    expect(res.status).toBe(200)
+    const body = await res.json()
+    expect(body.commits).toEqual([])
+  })
+})

package/src/api-routes/__tests__/init-scan-page-resolve-config.test.ts

@@ -0,0 +1,61 @@
+/**
+ * Tests for resolveFullConfig() — the helper that scan-page uses to read the
+ * full Setzkasten config in API-route context.
+ *
+ * Why this matters: when /api/setzkasten/init/scan-page is invoked as a
+ * standalone serverless function (Vercel cold-start), the `page-ssr`
+ * injectScript that sets globalThis.__SETZKASTEN_FULL_CONFIG__ never ran.
+ * Without a fallback, managedSections becomes an empty Map and every
+ * already-adopted section (e.g. _layout_header, _layout_footer) is offered
+ * for re-adoption. The fix: a Vite build-time define inlines the config
+ * into compiled API routes; resolveFullConfig() prefers the build-time
+ * constant and falls back to globalThis for local dev / tests.
+ *
+ * @vitest-environment node
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { resolveFullConfig } from '../init-scan-page'
+
+const SAMPLE_CONFIG = {
+  storage: { kind: 'github' as const },
+  products: {
+    website: {
+      label: 'Website',
+      sections: {
+        _layout_header: { label: 'header', icon: 'panel-top', fields: { items: { type: 'array' } } },
+        _layout_footer: { label: 'footer', icon: 'file-text', fields: { description: { type: 'text' } } },
+      },
+    },
+  },
+}
+
+beforeEach(() => {
+  delete (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__
+})
+
+afterEach(() => {
+  delete (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__
+})
+
+describe('resolveFullConfig', () => {
+  it('returns undefined when neither build-define nor globalThis is set', () => {
+    expect(resolveFullConfig()).toBeUndefined()
+  })
+
+  it('reads config from globalThis.__SETZKASTEN_FULL_CONFIG__', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = SAMPLE_CONFIG
+    const result = resolveFullConfig()
+    expect(result).toBeDefined()
+    expect(result?.products.website?.sections._layout_header).toBeDefined()
+    expect(result?.products.website?.sections._layout_footer).toBeDefined()
+  })
+
+  it('exposes section keys so managedSections can detect adopted layout regions', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = SAMPLE_CONFIG
+    const result = resolveFullConfig()
+    const keys = result ? Object.keys(result.products.website!.sections) : []
+    expect(keys).toContain('_layout_header')
+    expect(keys).toContain('_layout_footer')
+  })
+})

package/src/api-routes/__tests__/license-tier.test.ts

@@ -0,0 +1,45 @@
+/**
+ * @vitest-environment node
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { resolveLicenseTier } from '../_license-tier'
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+})
+
+afterEach(() => {
+  vi.unstubAllEnvs()
+})
+
+describe('resolveLicenseTier', () => {
+  it('returns free when no license key is configured', () => {
+    expect(resolveLicenseTier()).toBe('free')
+  })
+
+  it('returns pro for an SK-PRO-* key', () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAAAAAA-BBBBBBBB-CCCCCCCC')
+    expect(resolveLicenseTier()).toBe('pro')
+  })
+
+  it('returns enterprise for an SK-ENT-* key', () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-ENT-AAAAAAAA-BBBBBBBB-CCCCCCCC')
+    expect(resolveLicenseTier()).toBe('enterprise')
+  })
+
+  it('returns free for an unrecognised prefix', () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-FAKE-XXXXXXXX')
+    expect(resolveLicenseTier()).toBe('free')
+  })
+
+  it('returns free for empty string', () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', '')
+    expect(resolveLicenseTier()).toBe('free')
+  })
+
+  it('trims surrounding whitespace before deciding', () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', '  SK-PRO-AAAA-BBBB-CCCC  ')
+    expect(resolveLicenseTier()).toBe('pro')
+  })
+})

package/src/api-routes/__tests__/migrate-to-multi.test.ts

@@ -0,0 +1,189 @@
+/**
+ * @vitest-environment node
+ */
+
+import { generateKeyPairSync } from 'node:crypto'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
+
+function makeCtx(body: unknown, sessionValue = 'valid', role: 'admin' | 'editor' = 'admin') {
+  const request = new Request('https://cms.example.com/api/setzkasten/migrate/to-multi', {
+    method: 'POST',
+    body: JSON.stringify(body),
+    headers: { 'content-type': 'application/json' },
+  })
+  const sessionPayload = sessionValue
+    ? JSON.stringify({ user: { email: 'a@b.com', role }, expiresAt: Date.now() + 60_000 })
+    : ''
+  return {
+    request,
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionPayload ? { value: sessionPayload } : undefined,
+      ),
+    },
+  }
+}
+
+beforeEach(() => {
+  vi.unstubAllEnvs()
+  vi.stubEnv('GITHUB_APP_ID', '1')
+  vi.stubEnv('GITHUB_APP_INSTALLATION_ID', '111')
+  vi.stubEnv('GITHUB_APP_PRIVATE_KEY', PEM)
+  vi.stubEnv('SETZKASTEN_LICENSE_KEY', 'SK-PRO-AAAA-BBBB-CCCC')
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+    storage: { kind: 'single', repo: 'acme/site', appId: '1', installationId: '111' },
+  }
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = {
+    owner: 'acme',
+    repo: 'site',
+    branch: 'main',
+    contentPath: 'content',
+    assetsPath: 'public/images',
+    projectPrefix: '',
+  }
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+})
+
+describe('POST /api/setzkasten/migrate/to-multi', () => {
+  it('returns 401 without a session', async () => {
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({}, ''))
+
+    expect(res.status).toBe(401)
+  })
+
+  it('returns 403 for non-admin users', async () => {
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx({}, 'valid', 'editor'))
+
+    expect(res.status).toBe(403)
+  })
+
+  it('returns 402 for free license tier', async () => {
+    vi.stubEnv('SETZKASTEN_LICENSE_KEY', '')
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configRepo: 'acme/cms-config', configInstallationId: '999' }),
+    )
+    const body = (await res.json()) as { error?: string }
+
+    expect(res.status).toBe(402)
+    expect(body.error).toMatch(/Pro.*Enterprise/i)
+  })
+
+  it('returns 400 when configRepo is missing', async () => {
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configInstallationId: '999' }),
+    )
+
+    expect(res.status).toBe(400)
+  })
+
+  it('returns 400 when configInstallationId is missing', async () => {
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configRepo: 'acme/cms-config' }),
+    )
+
+    expect(res.status).toBe(400)
+  })
+
+  it('returns 400 when current setup is already multi', async () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+      storage: { kind: 'multi', configRepo: 'a/b', appId: '1', installationId: '1' },
+    }
+
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configRepo: 'acme/cms-config', configInstallationId: '999' }),
+    )
+
+    expect(res.status).toBe(400)
+  })
+
+  it('copies editors+global and writes a single-entry websites.json', async () => {
+    const calls: Array<{ url: string; method?: string; body?: unknown }> = []
+    const fetchMock = vi.fn(async (url: string, init?: RequestInit) => {
+      calls.push({ url, method: init?.method, body: init?.body })
+      if (url.includes('/access_tokens')) {
+        return {
+          ok: true,
+          json: async () => ({
+            token: 'gh_mock',
+            expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          }),
+        } as Response
+      }
+      // Source reads (website-repo)
+      if (url.includes('/repos/acme/site/contents/content/_editors.json')) {
+        return {
+          ok: true,
+          json: async () => ({
+            content: Buffer.from(JSON.stringify([{ email: 'a@b.com' }])).toString('base64'),
+            sha: 'editors-sha',
+          }),
+        } as Response
+      }
+      if (url.includes('/repos/acme/site/contents/content/_global_config.json')) {
+        return {
+          ok: true,
+          json: async () => ({
+            content: Buffer.from(JSON.stringify({ theme: { brandName: 'X' } })).toString('base64'),
+            sha: 'gc-sha',
+          }),
+        } as Response
+      }
+      // Target writes (config-repo)
+      if (url.includes('/repos/acme/cms-config/contents/') && init?.method === 'PUT') {
+        return { ok: true, json: async () => ({ content: { sha: 'new' } }) } as Response
+      }
+      // Target reads (websites.json) — assume not yet present
+      if (
+        url.includes('/repos/acme/cms-config/contents/websites.json') &&
+        (init?.method ?? 'GET') === 'GET'
+      ) {
+        return new Response(null, { status: 404 })
+      }
+      throw new Error(`unexpected URL: ${url} method=${init?.method}`)
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../migrate-to-multi')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(
+      makeCtx({ configRepo: 'acme/cms-config', configInstallationId: '999' }),
+    )
+
+    expect(res.status).toBe(200)
+    const body = (await res.json()) as {
+      ok: boolean
+      committed: { editors: boolean; globalConfig: boolean; websites: boolean }
+    }
+    expect(body.ok).toBe(true)
+    expect(body.committed.editors).toBe(true)
+    expect(body.committed.globalConfig).toBe(true)
+    expect(body.committed.websites).toBe(true)
+
+    // Ensure the websites.json write contained the source-website snapshot
+    const websitesPut = calls.find(
+      (c) => c.method === 'PUT' && c.url.includes('/repos/acme/cms-config/contents/websites.json'),
+    )
+    expect(websitesPut).toBeDefined()
+    const websitesBody = JSON.parse(String(websitesPut!.body)) as { content: string }
+    const websitesPayload = JSON.parse(
+      Buffer.from(websitesBody.content, 'base64').toString('utf-8'),
+    )
+    expect(websitesPayload.websites).toHaveLength(1)
+    expect(websitesPayload.websites[0].repo).toBe('acme/site')
+    expect(websitesPayload.websites[0].githubApp.installationId).toBe('111')
+  })
+})