@setzkasten-cms/astro-admin 0.8.0 → 1.3.0

package/src/api-routes/_websites-store.ts

@@ -0,0 +1,120 @@
+/**
+ * Read/write the standalone admin's `websites.json` from the config repo.
+ * Pure HTTP — no caching here; the GitHub-side cache lives in
+ * GitHubWebsitesRegistry, which API routes invalidate explicitly after a
+ * successful write.
+ */
+
+import {
+  type Result,
+  type WebsitesRegistry,
+  err,
+  networkError,
+  ok,
+  parseWebsitesRegistry,
+} from '@setzkasten-cms/core'
+import { withTrailers } from './_commit-trailers'
+
+interface ConfigRepoTarget {
+  readonly owner: string
+  readonly repo: string
+  readonly branch: string
+  readonly path: string
+  readonly token: string
+}
+
+interface ReadResult {
+  readonly registry: WebsitesRegistry
+  readonly sha: string | null
+}
+
+const githubHeaders = (token: string) => ({
+  Authorization: `Bearer ${token}`,
+  Accept: 'application/vnd.github+json',
+  'X-GitHub-Api-Version': '2022-11-28',
+  'Content-Type': 'application/json',
+})
+
+export async function readWebsitesRegistryFromGitHub(
+  target: ConfigRepoTarget,
+): Promise<Result<ReadResult>> {
+  try {
+    const url = `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${target.path}?ref=${target.branch}`
+    const response = await fetch(url, { headers: githubHeaders(target.token) })
+
+    if (response.status === 404) {
+      return ok({ registry: { websites: [] }, sha: null })
+    }
+    if (!response.ok) {
+      return err(networkError(`GitHub returned ${response.status} reading ${target.path}`))
+    }
+
+    const data = (await response.json()) as { content: string; sha: string }
+    const decoded = Buffer.from(data.content, 'base64').toString('utf-8')
+    const parsed = parseWebsitesRegistry(decoded)
+    if (!parsed.ok) return parsed
+
+    return ok({ registry: parsed.value, sha: data.sha })
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : 'Unknown error'
+    return err(networkError(`Failed to read ${target.path}: ${message}`, cause))
+  }
+}
+
+export async function writeWebsitesRegistryToGitHub(
+  target: ConfigRepoTarget,
+  registry: WebsitesRegistry,
+  previousSha: string | null,
+  commitMessage: string,
+): Promise<Result<void>> {
+  const body: Record<string, unknown> = {
+    message: withTrailers(commitMessage),
+    content: Buffer.from(JSON.stringify(registry, null, 2)).toString('base64'),
+    branch: target.branch,
+  }
+  if (previousSha) body.sha = previousSha
+
+  try {
+    const response = await fetch(
+      `https://api.github.com/repos/${target.owner}/${target.repo}/contents/${target.path}`,
+      { method: 'PUT', headers: githubHeaders(target.token), body: JSON.stringify(body) },
+    )
+
+    if (!response.ok) {
+      const text = await response.text()
+      return err(networkError(`GitHub PUT failed: ${response.status} ${text}`))
+    }
+    return ok(undefined)
+  } catch (cause) {
+    const message = cause instanceof Error ? cause.message : 'Unknown error'
+    return err(networkError(`Failed to write ${target.path}: ${message}`, cause))
+  }
+}
+
+/**
+ * Reads the standalone-admin storage config out of the build-time
+ * `__SETZKASTEN_FULL_CONFIG__` global. Returns null when the deployment
+ * is not in standalone mode (single-repo setups have no websites.json).
+ */
+export function resolveConfigRepoTargetFromGlobals(token: string): ConfigRepoTarget | null {
+  const fullConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as
+    | { storage?: { kind: string; configRepo?: string; configBranch?: string } }
+    | undefined
+
+  // Accept the canonical 'multi' as well as the legacy 'standalone' alias.
+  // defineConfig() rewrites legacy values, but tests and direct setters of
+  // __SETZKASTEN_FULL_CONFIG__ may pass either form.
+  const storage = fullConfig?.storage
+  if (!storage || (storage.kind !== 'multi' && storage.kind !== 'standalone')) return null
+  if (!storage.configRepo) return null
+  const [owner, repo] = storage.configRepo.split('/')
+  if (!owner || !repo) return null
+
+  return {
+    owner,
+    repo,
+    branch: storage.configBranch ?? 'main',
+    path: 'websites.json',
+    token,
+  }
+}

package/src/api-routes/asset-proxy.ts

@@ -1,4 +1,5 @@
 import type { APIRoute } from 'astro'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * Asset proxy – serves images from the private GitHub repo.
@@ -7,7 +8,7 @@ import type { APIRoute } from 'astro'
  * GET /api/setzkasten/asset/public/images/about/LP_Logo.png
  * → fetches from GitHub API and returns the raw binary with correct Content-Type.
  */
-export const GET: APIRoute = async ({ params, cookies }) => {
+export const GET: APIRoute = async ({ params, request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) {
     return new Response('Unauthorized', { status: 401 })
@@ -18,10 +19,11 @@ export const GET: APIRoute = async ({ params, cookies }) => {
     return new Response('Missing path', { status: 400 })
   }
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   const config = (globalThis as any).__SETZKASTEN_CONFIG__
   if (!config?.storage) {

package/src/api-routes/auth-callback.ts

@@ -1,5 +1,7 @@
 import type { APIRoute } from 'astro'
 import { createGitHubAuth } from '@setzkasten-cms/auth'
+import { sessionCookieOptions } from './_session-cookie.js'
+import { makeRoleResolver } from './_role-resolver'
 
 /**
  * GitHub OAuth callback handler.
@@ -49,6 +51,7 @@ export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
     clientSecret: import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? '',
     redirectUri,
     allowedEmails,
+    resolveRole: makeRoleResolver('github', allowedEmails),
   })
 
   try {
@@ -59,13 +62,11 @@ export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
     }
 
     const session = sessionResult.value
-    cookies.set('setzkasten_session', JSON.stringify({ user: session.user, expiresAt: session.expiresAt }), {
-      httpOnly: true,
-      secure: import.meta.env.PROD,
-      sameSite: 'lax',
-      path: '/',
-      maxAge: 60 * 60 * 24 * 7,
-    })
+    cookies.set(
+      'setzkasten_session',
+      JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+      sessionCookieOptions(import.meta.env.PROD),
+    )
 
     return redirect(adminPath)
   } catch {

package/src/api-routes/auth-logout.ts

@@ -1,9 +1,13 @@
 import type { APIRoute } from 'astro'
+import { sessionCookieOptions } from './_session-cookie.js'
 
 /**
  * Logout – clears the session cookie and redirects to home.
+ * Mirrors the same `domain` attribute used when the cookie was set so the
+ * browser actually deletes it on subdomains in standalone-admin setups.
  */
 export const GET: APIRoute = async ({ cookies, redirect }) => {
-  cookies.delete('setzkasten_session', { path: '/' })
+  const opts = sessionCookieOptions(false)
+  cookies.delete('setzkasten_session', { path: '/', domain: opts.domain })
   return redirect('/')
 }

package/src/api-routes/auth-setzkasten-login.ts

@@ -3,6 +3,10 @@ import { verifyFirebaseJwt } from '@setzkasten-cms/auth'
 import { readEditorsFile } from './editors'
 import { readGlobalConfig } from './global-config'
 import { resolveStorageConfig } from './_storage-config'
+import { resolveConfigRepoToken } from './_github-token'
+import { sessionCookieOptions } from './_session-cookie.js'
+import { makeRoleResolver } from './_role-resolver'
+import { gateFeature } from './_feature-gate'
 
 /**
  * POST /api/setzkasten/auth/setzkasten-login
@@ -10,8 +14,20 @@ import { resolveStorageConfig } from './_storage-config'
  *
  * Verifies the Firebase JWT against Firebase's public JWKS (no secret needed).
  * Access is gated exclusively by _editors.json (fail-closed).
+ *
+ * Editors live in the build-time-configured repo regardless of which website
+ * the request is targeting — in single-mode that's the website's repo, in
+ * multi-mode it's the config-repo. The per-request resolver and X-SK-Website
+ * header are intentionally NOT consulted here, because login predates any
+ * website selection.
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
+  // Feature-gate: Setzkasten-Login is the Firebase-based path that lets
+  // editors who don't have a GitHub account log in via Google. That entire
+  // flow is gated behind Pro/Enterprise.
+  const gate = gateFeature('google-auth')
+  if (gate) return gate
+
   const body = await request.json().catch(() => null)
   const idToken = body?.idToken as string | undefined
 
@@ -24,9 +40,14 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Storage not configured', { status: 500 })
   }
   const { owner, repo, branch } = storage
-  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
   const contentPath: string = serverConfig?.storage?.contentPath ?? 'content'
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN ?? ''
+
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) {
+    return new Response(`GitHub token unavailable: ${tokenResult.error.message}`, { status: 503 })
+  }
 
   // Verify that SetzKastenLogin is configured (firebaseConfig must exist in global config)
   const globalCfg = await readGlobalConfig().catch(() => null)
@@ -35,26 +56,31 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
 
   // Read editors list — fail-closed: if unreadable, deny all logins
-  const editors = await readEditorsFile(owner, repo, branch, contentPath, githubToken)
+  const editors = await readEditorsFile(owner, repo, branch, contentPath, tokenResult.value)
   if (editors === null) {
     return new Response('Editors list unavailable — no access granted', { status: 503 })
   }
 
   const allowedEmails = editors.map((e) => e.email)
-  const result = await verifyFirebaseJwt(idToken, allowedEmails)
+  // Setzkasten-Login uses Firebase as the identity backend but logically
+  // grants the same role-resolution semantics as Google OAuth — both give
+  // an editors-file-listed user the role from that file.
+  const result = await verifyFirebaseJwt(
+    idToken,
+    allowedEmails,
+    makeRoleResolver('google', allowedEmails),
+  )
 
   if (!result.ok) {
     return new Response(result.error.message, { status: 403 })
   }
 
   const session = result.value
-  cookies.set('setzkasten_session', JSON.stringify({ user: session.user, expiresAt: session.expiresAt }), {
-    httpOnly: true,
-    secure: import.meta.env.PROD,
-    sameSite: 'lax',
-    path: '/',
-    maxAge: 60 * 60 * 24 * 7,
-  })
+  cookies.set(
+    'setzkasten_session',
+    JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+    sessionCookieOptions(import.meta.env.PROD),
+  )
 
   return Response.json({ ok: true })
 }

package/src/api-routes/catalog-add.ts

@@ -1,10 +1,11 @@
 import type { APIRoute } from 'astro'
 import { registry } from '@setzkasten-cms/catalog'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 import { validateCatalogAddBody, buildCatalogAddCommit } from './catalog-helpers'
 import { generateAddKey, addToPageConfig } from './section-management'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/catalog/add
@@ -19,8 +20,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as Record<string, unknown>
@@ -34,7 +38,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const { templateName, pageKey } = validated
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 
@@ -42,7 +46,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
     const contentPath = (body.contentPath as string) || serverConfig?.storage?.contentPath || 'content'
 
-    const denied = guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig)
+    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
     if (denied) return denied
 
     const headers = {

package/src/api-routes/catalog-export.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
 import { exportTemplate } from '@setzkasten-cms/catalog'
-import { resolveStorageConfig, prefixPath } from './_storage-config'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * POST /api/setzkasten/catalog/export
@@ -14,8 +15,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = cookies.get('setzkasten_session')?.value
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
+  }
+  const githubToken = tokenResult.value
 
   try {
     const body = await request.json() as {
@@ -30,7 +34,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       return Response.json({ error: 'sectionKey is required' }, { status: 400 })
     }
 
-    const storage = resolveStorageConfig(body)
+    const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
     const { owner, repo, branch, projectPrefix } = storage
 

package/src/api-routes/config.ts

@@ -2,10 +2,11 @@ import type { APIRoute } from 'astro'
 import { readGlobalConfig } from './global-config'
 
 /**
- * Returns the full SetzKastenConfig as JSON.
- * The config is injected into globalThis by the integration at build time.
- *
  * GET /api/setzkasten/config
+ *
+ * Returns the full SetzKastenConfig as JSON. Fields from GlobalConfig
+ * (stored in _global_config.json) are merged over the static config so
+ * admins can change theme and Firebase settings without a code deployment.
  */
 export const GET: APIRoute = async () => {
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ ?? {}
@@ -13,13 +14,19 @@ export const GET: APIRoute = async () => {
 
   const globalCfg = await readGlobalConfig().catch(() => null)
 
+  const staticTheme = (config as any).theme ?? {}
+  const globalTheme = globalCfg?.theme ?? {}
+
   const result = {
-    storage: { kind: 'github' },
+    // Default fallback when no config is injected at build time. Real
+    // values are spread from `config` below.
+    storage: { kind: 'local' },
     auth: { providers: ['github'] },
-    theme: {},
     products: {},
     collections: {},
     ...config,
+    // Global config theme overrides static config theme field by field
+    theme: { ...staticTheme, ...globalTheme },
     // Include storage params so the client can create ProxyContentRepository
     _storage: ssrConfig?.storage ?? undefined,
     _hasGitHub: ssrConfig?.hasGitHub ?? false,

package/src/api-routes/editors.ts

@@ -1,12 +1,25 @@
 import type { APIRoute } from 'astro'
 import { resolveStorageConfig } from './_storage-config'
 import { parseSession } from './_auth-guard'
+import { resolveConfigRepoToken } from './_github-token'
 import type { ContentEditorConfig } from '@setzkasten-cms/core'
+import { validateEditorsUpdate } from '@setzkasten-cms/core'
 import { cachedFetch, invalidateCache } from './_github-cache'
 import { withTrailers } from './_commit-trailers'
+import { gateFeature } from './_feature-gate'
 
 const EDITORS_FILE = (contentPath: string) => `${contentPath}/_editors.json`
 
+// In Multi-Mode editors are global across all websites and live in the
+// config-repo; in Single-Mode the config-repo IS the website-repo. Either
+// way the answer is "the build-time-configured storage" — never the
+// per-website storage that the X-SK-Website header would route to.
+function configRepoStorage(): { owner: string; repo: string; branch: string } | null {
+  const storage = resolveStorageConfig()
+  if (!storage) return null
+  return { owner: storage.owner, repo: storage.repo, branch: storage.branch }
+}
+
 // ---------------------------------------------------------------------------
 // GET /api/setzkasten/editors
 // Returns the current editors list from _editors.json.
@@ -17,17 +30,18 @@ export const GET: APIRoute = async ({ cookies }) => {
   const session = parseSession(cookies.get('setzkasten_session')?.value)
   if (!session) return new Response('Unauthorized', { status: 401 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return new Response('GitHub token not configured', { status: 500 })
 
-  const storage = resolveStorageConfig()
+  const storage = configRepoStorage()
   if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
 
-  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
   const { owner, repo, branch } = storage
 
-  const raw = await readEditorsFile(owner, repo, branch, contentPath, githubToken)
+  const raw = await readEditorsFile(owner, repo, branch, contentPath, tokenResult.value)
   return Response.json(raw ?? [])
 }
 
@@ -42,13 +56,19 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
   if (!session) return new Response('Unauthorized', { status: 401 })
   if (session.user.role !== 'admin') return new Response('Forbidden', { status: 403 })
 
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-  if (!githubToken) return new Response('GitHub token not configured', { status: 500 })
+  // Feature-gate: editor management is a Pro feature. Free-tier admins
+  // can read the editors list (GET) but not write it.
+  const gate = gateFeature('editors')
+  if (gate) return gate
 
-  const storage = resolveStorageConfig()
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return new Response('GitHub token not configured', { status: 500 })
+
+  const storage = configRepoStorage()
   if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
 
-  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
   const { owner, repo, branch } = storage
 
@@ -60,10 +80,18 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
     return Response.json({ error: 'Invalid request body' }, { status: 400 })
   }
 
+  const validation = validateEditorsUpdate(editors, session.user.email)
+  if (!validation.ok) {
+    return Response.json(
+      { error: validation.message, code: validation.code },
+      { status: 400 },
+    )
+  }
+
   const filePath = EDITORS_FILE(contentPath)
   const fileContent = JSON.stringify(editors, null, 2)
   const headers = {
-    Authorization: `Bearer ${githubToken}`,
+    Authorization: `Bearer ${tokenResult.value}`,
     Accept: 'application/vnd.github+json',
     'X-GitHub-Api-Version': '2022-11-28',
     'Content-Type': 'application/json',
@@ -134,3 +162,59 @@ export async function readEditorsFile(
     return JSON.parse(raw) as ContentEditorConfig[]
   })
 }
+
+/**
+ * Discriminated result for the editors-file fetch. Lets callers decide the
+ * fail-mode policy: the auth-guard wants to ALLOW when the file is genuinely
+ * absent (no restrictions configured) but DENY when the fetch errors out.
+ * The basic readEditorsFile() above returns null for both cases, which is
+ * unsafe for authorization checks.
+ *
+ * Caller is responsible for caching — this function never reads from or
+ * writes to the shared cache, because caching an "error" state would
+ * silently extend privilege-escalation windows.
+ */
+export type EditorsStatus =
+  | { kind: 'absent' }
+  | { kind: 'present'; editors: ContentEditorConfig[] }
+  | { kind: 'error'; message: string }
+
+export async function readEditorsFileStatus(
+  owner: string,
+  repo: string,
+  branch: string,
+  contentPath: string,
+  token: string,
+): Promise<EditorsStatus> {
+  let res: Response
+  try {
+    res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${EDITORS_FILE(contentPath)}?ref=${branch}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
+    )
+  } catch (err) {
+    return { kind: 'error', message: err instanceof Error ? err.message : 'network error' }
+  }
+
+  if (res.status === 404) return { kind: 'absent' }
+  if (!res.ok) {
+    return { kind: 'error', message: `GitHub returned ${res.status}` }
+  }
+
+  try {
+    const data = (await res.json()) as { content: string; encoding: string }
+    const raw =
+      data.encoding === 'base64'
+        ? Buffer.from(data.content, 'base64').toString('utf-8')
+        : data.content
+    return { kind: 'present', editors: JSON.parse(raw) as ContentEditorConfig[] }
+  } catch (err) {
+    return { kind: 'error', message: err instanceof Error ? err.message : 'parse error' }
+  }
+}

package/src/api-routes/github-proxy.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
+import { resolveGitHubTokenForRequest } from './_github-token'
 
 /**
  * Server-side proxy for GitHub API calls.
@@ -21,12 +22,11 @@ export const ALL: APIRoute = async ({ params, request, cookies }) => {
     return new Response('Missing path', { status: 400 })
   }
 
-  // GitHub App token from environment (never sent to client)
-  const githubToken = import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN
-
-  if (!githubToken) {
-    return new Response('GitHub token not configured', { status: 500 })
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 })
   }
+  const githubToken = tokenResult.value
 
   const githubUrl = `https://api.github.com/${githubPath}`
 

package/src/api-routes/global-config.ts

@@ -1,6 +1,7 @@
 import type { APIRoute } from 'astro'
 import { parseSession } from './_auth-guard'
 import { resolveStorageConfig } from './_storage-config'
+import { resolveConfigRepoToken } from './_github-token'
 import { cachedFetch, invalidateCache } from './_github-cache'
 import { withTrailers } from './_commit-trailers'
 
@@ -12,6 +13,11 @@ export interface GlobalConfig {
     authDomain: string
     projectId: string
   }
+  theme?: {
+    primaryColor?: string
+    brandName?: string
+    logo?: string
+  }
 }
 
 // ---------------------------------------------------------------------------
@@ -42,7 +48,7 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
     return Response.json({ error: 'Invalid request body' }, { status: 400 })
   }
 
-  const current = await readGlobalConfig() ?? {}
+  const current = (await readGlobalConfig()) ?? {}
   const next: GlobalConfig = { ...current }
   for (const [k, v] of Object.entries(patch)) {
     if (v === null) delete (next as Record<string, unknown>)[k]
@@ -54,23 +60,34 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
 
 // ---------------------------------------------------------------------------
 // Helpers
+//
+// Global config is a Setzkasten-instance-level file that lives in the
+// config-repo regardless of which website the request is targeting:
+// - Single-Mode: config-repo == website-repo, so this is fine
+// - Multi-Mode: config-repo holds editors + global config + websites.json
+// We deliberately ignore the request and X-SK-Website here; otherwise
+// global config would ping-pong between per-website locations as users
+// switch active sites.
 // ---------------------------------------------------------------------------
 
-function getStorageParams() {
-  const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
+async function getStorageParams() {
+  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
+    .__SETZKASTEN_CONFIG__
   const storage = resolveStorageConfig()
   if (!storage) return null
+  const tokenResult = await resolveConfigRepoToken()
+  if (!tokenResult.ok) return null
   return {
     owner: storage.owner,
     repo: storage.repo,
     branch: storage.branch,
     contentPath: serverConfig?.storage?.contentPath ?? 'content',
-    token: (import.meta.env.GITHUB_TOKEN ?? process.env.GITHUB_TOKEN ?? '') as string,
+    token: tokenResult.value,
   }
 }
 
 export async function readGlobalConfig(): Promise<GlobalConfig | null> {
-  const params = getStorageParams()
+  const params = await getStorageParams()
   if (!params) return null
   const { owner, repo, branch, contentPath, token } = params
   const key = `global-config:${owner}/${repo}:${branch}`
@@ -89,7 +106,7 @@ export async function readGlobalConfig(): Promise<GlobalConfig | null> {
 }
 
 export async function writeGlobalConfig(config: GlobalConfig): Promise<void> {
-  const params = getStorageParams()
+  const params = await getStorageParams()
   if (!params) throw new Error('Storage not configured')
   const { owner, repo, branch, contentPath, token } = params
   invalidateCache(`global-config:${owner}/${repo}:${branch}`)