npm - @setzkasten-cms/astro-admin - Versions diffs - 0.8.0 → 1.3.0 - Mend

@setzkasten-cms/astro-admin 0.8.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

package/package.json +22 -6
package/src/admin-page.astro +1 -1
package/src/api-routes/__tests__/auth-guard.test.ts +134 -0
package/src/api-routes/__tests__/feature-gate.test.ts +60 -0
package/src/api-routes/__tests__/github-token-for-request.test.ts +112 -0
package/src/api-routes/__tests__/github-token.test.ts +78 -0
package/src/api-routes/__tests__/global-config-theme.test.ts +71 -0
package/src/api-routes/__tests__/history-rollback.test.ts +196 -0
package/src/api-routes/__tests__/history.test.ts +168 -0
package/src/api-routes/__tests__/init-scan-page-resolve-config.test.ts +61 -0
package/src/api-routes/__tests__/license-tier.test.ts +45 -0
package/src/api-routes/__tests__/migrate-to-multi.test.ts +189 -0
package/src/api-routes/__tests__/pages-meta-store.test.ts +179 -0
package/src/api-routes/__tests__/route-registry.test.ts +120 -0
package/src/api-routes/__tests__/session-cookie.test.ts +67 -0
package/src/api-routes/__tests__/setup-github-app-callback.test.ts +152 -0
package/src/api-routes/__tests__/setup-github-app-repos.test.ts +192 -0
package/src/api-routes/__tests__/setup-github-app.test.ts +107 -0
package/src/api-routes/__tests__/storage-config-for-request.test.ts +78 -0
package/src/api-routes/__tests__/webhook-signing.test.ts +39 -0
package/src/api-routes/__tests__/webhooks.test.ts +219 -0
package/src/api-routes/__tests__/website-resolver-bootstrap-standalone.test.ts +85 -0
package/src/api-routes/__tests__/website-resolver-bootstrap.test.ts +108 -0
package/src/api-routes/__tests__/website-resolver.test.ts +123 -0
package/src/api-routes/__tests__/websites-add.test.ts +305 -0
package/src/api-routes/__tests__/websites-list.test.ts +112 -0
package/src/api-routes/__tests__/websites-remove.test.ts +155 -0
package/src/api-routes/_auth-guard.ts +134 -13
package/src/api-routes/_feature-gate.ts +39 -0
package/src/api-routes/_github-token.ts +64 -0
package/src/api-routes/_license-tier.ts +25 -0
package/src/api-routes/_pages-meta-store.ts +134 -0
package/src/api-routes/_role-resolver.ts +60 -0
package/src/api-routes/_session-cookie.ts +42 -0
package/src/api-routes/_storage-config.ts +77 -4
package/src/api-routes/_vercel-origin.ts +22 -0
package/src/api-routes/_webhook-dispatcher.ts +120 -0
package/src/api-routes/_webhook-signing.ts +13 -0
package/src/api-routes/_webhook-status-store.ts +31 -0
package/src/api-routes/_website-resolver.ts +243 -0
package/src/api-routes/_websites-store.ts +120 -0
package/src/api-routes/asset-proxy.ts +6 -4
package/src/api-routes/auth-callback.ts +8 -7
package/src/api-routes/auth-logout.ts +5 -1
package/src/api-routes/auth-setzkasten-login.ts +37 -11
package/src/api-routes/catalog-add.ts +9 -5
package/src/api-routes/catalog-export.ts +8 -4
package/src/api-routes/config.ts +12 -5
package/src/api-routes/editors.ts +94 -10
package/src/api-routes/github-proxy.ts +5 -5
package/src/api-routes/global-config.ts +23 -6
package/src/api-routes/history-rollback.ts +144 -0
package/src/api-routes/history-version.ts +57 -0
package/src/api-routes/history.ts +119 -0
package/src/api-routes/init-add-section.ts +13 -5
package/src/api-routes/init-apply.ts +5 -3
package/src/api-routes/init-migrate.ts +7 -5
package/src/api-routes/init-scan-page.ts +26 -6
package/src/api-routes/init-scan.ts +5 -3
package/src/api-routes/migrate-to-multi.ts +255 -0
package/src/api-routes/pages.ts +118 -4
package/src/api-routes/section-add.ts +15 -5
package/src/api-routes/section-commit-pending.ts +117 -5
package/src/api-routes/section-delete.ts +29 -5
package/src/api-routes/section-duplicate.ts +15 -5
package/src/api-routes/section-prepare-copy.ts +15 -4
package/src/api-routes/section-prepare.ts +9 -5
package/src/api-routes/setup-github-app-bounce.ts +52 -0
package/src/api-routes/setup-github-app-branches.ts +63 -0
package/src/api-routes/setup-github-app-callback.ts +71 -0
package/src/api-routes/setup-github-app-installed.ts +44 -0
package/src/api-routes/setup-github-app-repos.ts +46 -0
package/src/api-routes/setup-github-app.ts +58 -0
package/src/api-routes/updater-register.ts +37 -25
package/src/api-routes/updater-transfer.ts +1 -12
package/src/api-routes/webhooks-status.ts +17 -0
package/src/api-routes/webhooks-test.ts +134 -0
package/src/api-routes/webhooks.ts +163 -0
package/src/api-routes/websites-add.ts +113 -0
package/src/api-routes/websites-list.ts +40 -0
package/src/api-routes/websites-remove.ts +74 -0
package/src/init/__tests__/patcher-edge-cases.test.ts +34 -1
package/src/init/__tests__/patcher-mixed-content-wrapper.test.ts +90 -0
package/src/init/template-patcher-v2.ts +42 -4
package/LICENSE +0 -37

package/src/api-routes/__tests__/pages-meta-store.test.ts ADDED Viewed

@@ -0,0 +1,179 @@
+/**
+ * @vitest-environment node
+ */
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+const TARGET = {
+  owner: 'acme',
+  repo: 'site',
+  branch: 'main',
+  contentPath: 'content',
+  token: 'gh-token',
+}
+beforeEach(() => {
+  vi.unstubAllEnvs()
+})
+afterEach(() => {
+  vi.restoreAllMocks()
+  vi.unstubAllEnvs()
+})
+function fetchSequence(steps: Array<(url: string, init?: RequestInit) => Response | Promise<Response>>) {
+  let i = 0
+  const fetchMock = vi.fn(async (url: string, init?: RequestInit) => {
+    const handler = steps[Math.min(i++, steps.length - 1)]
+    if (!handler) throw new Error('fetchSequence: empty step list')
+    return handler(url, init)
+  })
+  vi.stubGlobal('fetch', fetchMock)
+  return fetchMock
+}
+describe('readPagesMeta', () => {
+  it('returns an empty meta when GitHub responds 404', async () => {
+    fetchSequence([() => new Response(null, { status: 404 })])
+    const { readPagesMeta } = await import('../_pages-meta-store')
+    const result = await readPagesMeta(TARGET)
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.value.meta.pages).toEqual({})
+      expect(result.value.sha).toBeNull()
+    }
+  })
+  it('returns the parsed meta + sha when the file exists', async () => {
+    const meta = { version: 1, pages: { index: { lastModified: 5 } } }
+    fetchSequence([
+      () =>
+        new Response(
+          JSON.stringify({ content: Buffer.from(JSON.stringify(meta)).toString('base64'), sha: 'abc' }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        ),
+    ])
+    const { readPagesMeta } = await import('../_pages-meta-store')
+    const result = await readPagesMeta(TARGET)
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.value.meta.pages.index?.lastModified).toBe(5)
+      expect(result.value.sha).toBe('abc')
+    }
+  })
+  it('falls through to network error on non-404 failures', async () => {
+    fetchSequence([() => new Response('boom', { status: 500 })])
+    const { readPagesMeta } = await import('../_pages-meta-store')
+    const result = await readPagesMeta(TARGET)
+    expect(result.ok).toBe(false)
+  })
+})
+describe('recordPageEdit', () => {
+  it('reads, sets the timestamp, writes back — with the correct sha', async () => {
+    const calls: { url: string; method?: string; body?: unknown }[] = []
+    const existingMeta = { version: 1, pages: { index: { lastModified: 1 } } }
+    fetchSequence([
+      // 1) GET existing meta
+      (url, init) => {
+        calls.push({ url, method: init?.method, body: init?.body })
+        return new Response(
+          JSON.stringify({
+            content: Buffer.from(JSON.stringify(existingMeta)).toString('base64'),
+            sha: 'old-sha',
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        )
+      },
+      // 2) PUT updated meta
+      (url, init) => {
+        calls.push({ url, method: init?.method, body: init?.body })
+        return new Response(JSON.stringify({ content: { sha: 'new-sha' } }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        })
+      },
+    ])
+    const { recordPageEdit } = await import('../_pages-meta-store')
+    const result = await recordPageEdit(TARGET, 'about', 99)
+    expect(result.ok).toBe(true)
+    expect(calls).toHaveLength(2)
+    expect(calls[1]?.method).toBe('PUT')
+    const writtenBody = JSON.parse(String(calls[1]?.body)) as { content: string; sha?: string }
+    expect(writtenBody.sha).toBe('old-sha')
+    const writtenMeta = JSON.parse(Buffer.from(writtenBody.content, 'base64').toString('utf-8'))
+    expect(writtenMeta.pages.index.lastModified).toBe(1)
+    expect(writtenMeta.pages.about.lastModified).toBe(99)
+  })
+  it('initialises the file when it does not exist (no sha sent)', async () => {
+    const calls: { url: string; method?: string; body?: unknown }[] = []
+    fetchSequence([
+      (url, init) => {
+        calls.push({ url, method: init?.method, body: init?.body })
+        return new Response(null, { status: 404 })
+      },
+      (url, init) => {
+        calls.push({ url, method: init?.method, body: init?.body })
+        return new Response(JSON.stringify({ content: { sha: 'first' } }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        })
+      },
+    ])
+    const { recordPageEdit } = await import('../_pages-meta-store')
+    const result = await recordPageEdit(TARGET, 'about', 42)
+    expect(result.ok).toBe(true)
+    const putBody = JSON.parse(String(calls[1]?.body)) as { sha?: string }
+    expect(putBody.sha).toBeUndefined()
+  })
+  it('retries once on a 409 conflict, succeeds on the second write', async () => {
+    const empty = { version: 1, pages: {} }
+    fetchSequence([
+      () =>
+        new Response(
+          JSON.stringify({
+            content: Buffer.from(JSON.stringify(empty)).toString('base64'),
+            sha: 'first',
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        ),
+      // First PUT → 409
+      () => new Response('conflict', { status: 409 }),
+      // Re-read with newer sha
+      () =>
+        new Response(
+          JSON.stringify({
+            content: Buffer.from(JSON.stringify({ version: 1, pages: { x: { lastModified: 2 } } })).toString(
+              'base64',
+            ),
+            sha: 'second',
+          }),
+          { status: 200, headers: { 'content-type': 'application/json' } },
+        ),
+      // Second PUT → ok
+      () =>
+        new Response(JSON.stringify({ content: { sha: 'third' } }), {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        }),
+    ])
+    const { recordPageEdit } = await import('../_pages-meta-store')
+    const result = await recordPageEdit(TARGET, 'about', 7)
+    expect(result.ok).toBe(true)
+  })
+})

package/src/api-routes/__tests__/route-registry.test.ts ADDED Viewed

@@ -0,0 +1,120 @@
+/**
+ * Route-Registry-Konsistenztest
+ *
+ * Jede öffentliche Route-Datei in packages/astro-admin/src/api-routes/
+ * muss an drei Stellen registriert sein:
+ *   1. Als Export in packages/astro-admin/package.json
+ *   2. Als injectRoute-Entrypoint in packages/astro/src/integration.ts
+ *
+ * Ausnahmen (kein Export, kein injectRoute nötig):
+ *   - Dateien mit `_`-Prefix  → interne Helpers
+ *   - Dateien mit `-helpers`  → interne Helpers
+ *   - Dateien mit `-management` → interne Helpers (nur von anderen Routes importiert)
+ *
+ * Dieser Test verhindert, dass neue Route-Dateien vergessen werden —
+ * ein Fehler, der erst beim Produktions-Build auffällt (ENOENT).
+ */
+import { describe, it, expect } from 'vitest'
+import { readdirSync, readFileSync } from 'node:fs'
+import { resolve, dirname } from 'node:path'
+import { fileURLToPath } from 'node:url'
+const __dirname = dirname(fileURLToPath(import.meta.url))
+// Test sits at src/api-routes/__tests__, so go up three levels
+const ADMIN_ROOT = resolve(__dirname, '../../../')         // packages/astro-admin
+const ASTRO_ROOT = resolve(__dirname, '../../../../astro') // packages/astro
+// ---------------------------------------------------------------------------
+// Load sources
+// ---------------------------------------------------------------------------
+const routeFiles = readdirSync(resolve(ADMIN_ROOT, 'src/api-routes')).filter(
+  f => f.endsWith('.ts') && !f.endsWith('.test.ts'),
+)
+const packageJson = JSON.parse(
+  readFileSync(resolve(ADMIN_ROOT, 'package.json'), 'utf-8'),
+) as { exports: Record<string, string> }
+const integrationSrc = readFileSync(
+  resolve(ASTRO_ROOT, 'src/integration.ts'),
+  'utf-8',
+)
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Files that are internal — no export or injectRoute needed */
+function isInternal(filename: string): boolean {
+  const base = filename.replace(/\.ts$/, '')
+  return (
+    base.startsWith('_') ||
+    base.endsWith('-helpers') ||
+    base.endsWith('-management')
+  )
+}
+/** Export key as used in package.json, e.g. "catalog-list" → "./catalog" special-cased */
+function exportKey(filename: string): string {
+  const base = filename.replace(/\.ts$/, '')
+  // Special case: catalog-list is exported as "./catalog"
+  if (base === 'catalog-list') return './catalog'
+  return `./${base}`
+}
+function entrypoint(filename: string): string {
+  const base = filename.replace(/\.ts$/, '')
+  if (base === 'catalog-list') return '@setzkasten-cms/astro-admin/catalog'
+  return `@setzkasten-cms/astro-admin/${base}`
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+const publicRoutes = routeFiles.filter(f => !isInternal(f))
+describe('Route-Registry-Konsistenz', () => {
+  describe('package.json exports', () => {
+    for (const file of publicRoutes) {
+      it(`${file} ist in package.json exports registriert`, () => {
+        const key = exportKey(file)
+        expect(
+          packageJson.exports,
+          `Fehlender Export: "${key}" in packages/astro-admin/package.json`,
+        ).toHaveProperty(key)
+      })
+    }
+  })
+  describe('integration.ts injectRoute', () => {
+    for (const file of publicRoutes) {
+      it(`${file} ist als injectRoute-Entrypoint in integration.ts registriert`, () => {
+        const ep = entrypoint(file)
+        expect(
+          integrationSrc,
+          `Fehlender injectRoute-Eintrag für '${ep}' in packages/astro/src/integration.ts`,
+        ).toContain(`'${ep}'`)
+      })
+    }
+  })
+  describe('Keine verwaisten Exports', () => {
+    it('alle package.json-Exports (astro-admin routes) haben eine entsprechende Datei', () => {
+      const routeExports = Object.entries(packageJson.exports)
+        .filter(([, v]) => v.startsWith('./src/api-routes/'))
+        .map(([k]) => k)
+      const knownKeys = new Set(publicRoutes.map(exportKey))
+      for (const key of routeExports) {
+        expect(
+          knownKeys.has(key),
+          `Export "${key}" in package.json hat keine Route-Datei mehr`,
+        ).toBe(true)
+      }
+    })
+  })
+})

package/src/api-routes/__tests__/session-cookie.test.ts ADDED Viewed

@@ -0,0 +1,67 @@
+/**
+ * @vitest-environment node
+ */
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { sessionCookieOptions } from '../_session-cookie'
+beforeEach(() => {
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+  vi.unstubAllEnvs()
+})
+afterEach(() => {
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+  vi.unstubAllEnvs()
+})
+describe('sessionCookieOptions', () => {
+  it('returns secure defaults regardless of config', () => {
+    const opts = sessionCookieOptions(false)
+    expect(opts.httpOnly).toBe(true)
+    expect(opts.sameSite).toBe('lax')
+    expect(opts.path).toBe('/')
+    expect(opts.maxAge).toBe(60 * 60 * 24 * 7)
+  })
+  it('toggles secure with the prod flag', () => {
+    expect(sessionCookieOptions(false).secure).toBe(false)
+    expect(sessionCookieOptions(true).secure).toBe(true)
+  })
+  it('omits domain when no cookieDomain is configured (single-repo default)', () => {
+    expect(sessionCookieOptions(true).domain).toBeUndefined()
+  })
+  it('reads cookieDomain from __SETZKASTEN_FULL_CONFIG__.auth.cookieDomain', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+      auth: { cookieDomain: '.example.com' },
+    }
+    expect(sessionCookieOptions(true).domain).toBe('.example.com')
+  })
+  it('falls back to SETZKASTEN_COOKIE_DOMAIN env when full config has no value', () => {
+    vi.stubEnv('SETZKASTEN_COOKIE_DOMAIN', '.example.com')
+    expect(sessionCookieOptions(true).domain).toBe('.example.com')
+  })
+  it('config wins over env', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+      auth: { cookieDomain: '.config.example.com' },
+    }
+    vi.stubEnv('SETZKASTEN_COOKIE_DOMAIN', '.env.example.com')
+    expect(sessionCookieOptions(true).domain).toBe('.config.example.com')
+  })
+  it('treats empty cookieDomain as unset', () => {
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = {
+      auth: { cookieDomain: '' },
+    }
+    expect(sessionCookieOptions(true).domain).toBeUndefined()
+  })
+})

package/src/api-routes/__tests__/setup-github-app-callback.test.ts ADDED Viewed

@@ -0,0 +1,152 @@
+/**
+ * Tests for setup-github-app-callback.ts
+ *
+ * Key regression: cookies.set() nach Response.redirect() wirft
+ * "TypeError: immutable" weil Response.redirect() eine frozen Response
+ * zurückgibt. Fix: manuelles new Response(null, { status: 302 }).
+ *
+ * @vitest-environment node
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+// ---------------------------------------------------------------------------
+// Minimal Astro context mock
+// ---------------------------------------------------------------------------
+function makeCookies() {
+  const jar: Record<string, string> = {}
+  return {
+    set: vi.fn((name: string, value: string) => { jar[name] = value }),
+    get: vi.fn((name: string) => jar[name] ? { value: jar[name] } : undefined),
+    _jar: jar,
+  }
+}
+function makeCtx(code: string | null, headers: Record<string, string> = {}) {
+  const search = code ? `?code=${code}` : ''
+  const url = new URL(`https://localhost/api/setzkasten/setup/github-app/callback${search}`)
+  const request = new Request(url, { headers: { 'x-forwarded-host': 'setzkasten.vercel.app', 'x-forwarded-proto': 'https', ...headers } })
+  return { url, request, cookies: makeCookies() }
+}
+const GITHUB_RESPONSE = {
+  id: 123456,
+  slug: 'meine-cms-app',
+  pem: '-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA\n-----END RSA PRIVATE KEY-----\n',
+  client_id: 'Iv1.abc',
+  client_secret: 'secret',
+  webhook_secret: null,
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe('setup-github-app-callback', () => {
+  beforeEach(() => { vi.stubGlobal('fetch', vi.fn()) })
+  afterEach(() => { vi.restoreAllMocks(); vi.resetModules() })
+  it('setzt Cookie und leitet zum Standard-adminPath weiter bei erfolgreichem Code-Austausch', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => GITHUB_RESPONSE,
+    } as Response)
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx('abc123')
+    const res = await (GET as Function)(ctx)
+    expect(res.status).toBe(302)
+    expect(res.headers.get('location')).toBe('https://setzkasten.vercel.app/admin')
+    expect(ctx.cookies.set).toHaveBeenCalledOnce()
+    const stored = ctx.cookies._jar['sk_app_setup']
+    expect(stored).toBeDefined()
+    const cookieValue = JSON.parse(stored as string)
+    expect(cookieValue.appId).toBe('123456')
+    expect(cookieValue.slug).toBe('meine-cms-app')
+    expect(cookieValue.privateKey).toContain('RSA PRIVATE KEY')
+    // v1.2: GitHub-App also serves as the OAuth provider for admin
+    // login. The Manifest exchange returns client_id + client_secret
+    // alongside the App credentials; we capture both so the wizard
+    // can surface them as env vars and the CLI doesn't need to ask
+    // for OAuth credentials separately.
+    expect(cookieValue.clientId).toBe('Iv1.abc')
+    expect(cookieValue.clientSecret).toBe('secret')
+  })
+  it('Response ist nicht immutable — Cookie-Header kann gesetzt werden', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({
+      ok: true,
+      json: async () => GITHUB_RESPONSE,
+    } as Response)
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx('abc123')
+    const res = await (GET as Function)(ctx)
+    // Wenn Response.redirect() verwendet würde, wäre der Response immutable
+    // und das Setzen eines Headers würde "TypeError: immutable" werfen.
+    // Dieser Test schlägt fehl, wenn die falsche Implementierung verwendet wird.
+    expect(() => res.headers.set('X-Test', 'ok')).not.toThrow()
+  })
+  it('leitet mit github-app-error=missing_code weiter wenn kein Code', async () => {
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx(null)
+    const res = await (GET as Function)(ctx)
+    expect(res.status).toBe(302)
+    expect(res.headers.get('location')).toContain('github-app-error=missing_code')
+    expect(ctx.cookies.set).not.toHaveBeenCalled()
+  })
+  it('leitet mit github-app-error=exchange_failed weiter wenn GitHub-API fehlschlägt', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({ ok: false, status: 422, json: async () => ({}) } as Response)
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx('badcode')
+    const res = await (GET as Function)(ctx)
+    expect(res.status).toBe(302)
+    expect(res.headers.get('location')).toContain('github-app-error=exchange_failed')
+    expect(ctx.cookies.set).not.toHaveBeenCalled()
+  })
+  it('Redirect-URL enthält den echten Host aus x-forwarded-host', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+    const { GET } = await import('../setup-github-app-callback')
+    const ctx = makeCtx('abc123', { 'x-forwarded-host': 'meine-website.de', 'x-forwarded-proto': 'https' })
+    const res = await (GET as Function)(ctx)
+    expect(res.headers.get('location')).toBe('https://meine-website.de/admin')
+  })
+})
+describe('setup-github-app-callback – adminPath', () => {
+  beforeEach(() => { vi.stubGlobal('fetch', vi.fn()) })
+  afterEach(() => { vi.restoreAllMocks(); vi.resetModules() })
+  it('verwendet /admin als Standard-Redirect wenn kein adminPath konfiguriert', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+    ;(globalThis as any).__SETZKASTEN_CONFIG__ = undefined
+    const { GET } = await import('../setup-github-app-callback')
+    const res = await (GET as Function)(makeCtx('abc123'))
+    const location = new URL(res.headers.get('location') ?? '')
+    expect(location.pathname).toBe('/admin')
+  })
+  it('verwendet konfigurierten adminPath für den Redirect', async () => {
+    vi.mocked(fetch).mockResolvedValueOnce({ ok: true, json: async () => GITHUB_RESPONSE } as Response)
+    ;(globalThis as any).__SETZKASTEN_CONFIG__ = { adminPath: '/cms' }
+    const { GET } = await import('../setup-github-app-callback')
+    const res = await (GET as Function)(makeCtx('abc123'))
+    expect(res.headers.get('location')).toContain('/cms')
+  })
+})