@setzkasten-cms/astro-admin 1.1.0 → 1.3.0

package/src/api-routes/history-rollback.ts

@@ -0,0 +1,144 @@
+import type { APIRoute } from 'astro'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { parseSession, requireAdmin } from './_auth-guard'
+import { withTrailers } from './_commit-trailers'
+import { invalidateCache } from './_github-cache'
+
+interface RollbackBody {
+  path?: string
+  sha?: string
+  /** Optional ETag-style guard: client sends the SHA they think is HEAD;
+   *  if HEAD has moved, we 409 to prevent stomping live edits. */
+  expectedHeadSha?: string
+}
+
+/**
+ * POST /api/setzkasten/history/rollback
+ *
+ * Body: { path, sha, expectedHeadSha? }
+ *
+ * Restores `path` to the contents from `sha` by writing a new commit
+ * (no `git revert` — JSON content is set wholesale). The original SHA
+ * stays in history so users can roll forward again.
+ *
+ * Conflict semantics: the client passes the SHA they currently render in
+ * the file picker. If the file's HEAD has moved between page-load and the
+ * rollback click, we return 409 with `code: 'head-moved'` so the UI can
+ * tell the user to refresh.
+ *
+ * Admin-only — editors can edit, but rollback is destructive enough to
+ * warrant the audit-log control.
+ */
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
+  if (!session) return new Response('Unauthorized', { status: 401 })
+
+  let body: RollbackBody
+  try {
+    body = (await request.json()) as RollbackBody
+  } catch {
+    return Response.json({ error: 'Invalid JSON body' }, { status: 400 })
+  }
+  const { path, sha, expectedHeadSha } = body
+  if (!path || !sha) {
+    return Response.json({ error: 'path and sha are required' }, { status: 400 })
+  }
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 })
+
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) {
+    return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
+  }
+  const { owner, repo, branch } = storage
+
+  const headers = {
+    Authorization: `Bearer ${tokenResult.value}`,
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'Content-Type': 'application/json',
+  }
+
+  // 1. Fetch contents of the file at the target sha
+  const versionRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${sha}`,
+    { headers },
+  )
+  if (versionRes.status === 404) {
+    return Response.json(
+      { error: 'File did not exist at the requested sha', code: 'version-not-found' },
+      { status: 404 },
+    )
+  }
+  if (!versionRes.ok) {
+    return Response.json(
+      { error: `Failed to read version: ${versionRes.status}` },
+      { status: 502 },
+    )
+  }
+  const versionData = (await versionRes.json()) as {
+    content: string
+    encoding: string
+  }
+  const targetContent =
+    versionData.encoding === 'base64'
+      ? Buffer.from(versionData.content, 'base64').toString('utf-8')
+      : versionData.content
+
+  // 2. Fetch current HEAD SHA of the file (for conflict detection + PUT sha param)
+  const headRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+    { headers },
+  )
+  let currentSha: string | null = null
+  if (headRes.ok) {
+    const data = (await headRes.json()) as { sha: string }
+    currentSha = data.sha
+  }
+
+  if (expectedHeadSha && currentSha && expectedHeadSha !== currentSha) {
+    return Response.json(
+      {
+        error: 'Datei wurde inzwischen geändert. Bitte den Verlauf neu laden.',
+        code: 'head-moved',
+      },
+      { status: 409 },
+    )
+  }
+
+  // 3. Write new commit with the historical content
+  const shortSha = sha.slice(0, 7)
+  const fileName = path.split('/').pop() ?? path
+  const message = withTrailers(
+    `revert(${fileName}): rollback to ${shortSha}`,
+    session.user.email,
+  )
+
+  const putBody: Record<string, unknown> = {
+    message,
+    content: Buffer.from(targetContent).toString('base64'),
+    branch,
+  }
+  if (currentSha) putBody.sha = currentSha
+
+  const putRes = await fetch(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}`,
+    { method: 'PUT', headers, body: JSON.stringify(putBody) },
+  )
+
+  if (!putRes.ok) {
+    const text = await putRes.text()
+    return Response.json({ error: `Rollback write failed: ${text}` }, { status: 502 })
+  }
+
+  // Invalidate history cache for this path — fresh commit shows up in lists.
+  invalidateCache(`history:${owner}/${repo}:${branch}:${path}:head`)
+
+  const putData = (await putRes.json()) as { commit: { sha: string } }
+  return Response.json({ ok: true, commitSha: putData.commit.sha })
+}

package/src/api-routes/history-version.ts

@@ -0,0 +1,57 @@
+import type { APIRoute } from 'astro'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { requireAdmin } from './_auth-guard'
+import { cachedFetch } from './_github-cache'
+
+/**
+ * GET /api/setzkasten/history/version?path=<file>&sha=<commit-sha>
+ *
+ * Returns the file content at a specific commit (for diff rendering).
+ * Cached per (path, sha) for 5 minutes — historical content is immutable.
+ */
+export const GET: APIRoute = async ({ request, url, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const path = url.searchParams.get('path')
+  const sha = url.searchParams.get('sha')
+  if (!path || !sha) {
+    return Response.json({ error: 'Missing required `path` or `sha`.' }, { status: 400 })
+  }
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 })
+
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) {
+    return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
+  }
+  const { owner, repo } = storage
+
+  const cacheKey = `history-version:${owner}/${repo}:${path}:${sha}`
+  const result = await cachedFetch(cacheKey, 5 * 60_000, async () => {
+    const u = new URL(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}`,
+    )
+    u.searchParams.set('ref', sha)
+    const res = await fetch(u, {
+      headers: {
+        Authorization: `Bearer ${tokenResult.value}`,
+        Accept: 'application/vnd.github+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+    if (res.status === 404) return { ok: false as const, status: 404, error: 'File not found at given sha' }
+    if (!res.ok) return { ok: false as const, status: 502, error: `GitHub returned ${res.status}` }
+    const data = (await res.json()) as { content: string; encoding: string; sha: string }
+    const raw =
+      data.encoding === 'base64'
+        ? Buffer.from(data.content, 'base64').toString('utf-8')
+        : data.content
+    return { ok: true as const, value: { content: raw, sha: data.sha } }
+  })
+
+  if (!result.ok) return Response.json({ error: result.error }, { status: result.status })
+  return Response.json(result.value)
+}

package/src/api-routes/history.ts

@@ -0,0 +1,119 @@
+import type { APIRoute } from 'astro'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { requireAdmin } from './_auth-guard'
+import { parseCoAuthorTrailers, type CommitInfo } from '@setzkasten-cms/core'
+import { cachedFetch } from './_github-cache'
+
+/**
+ * GET /api/setzkasten/history?path=<contentPath>&before=<sha>
+ *
+ * Returns up to 5 most recent commits affecting the given file. Pagination
+ * via `before=<sha>` returns 10 more older commits — clients call this on
+ * "Mehr laden". Admin-only — editors can read content but not the audit
+ * trail (and certainly not roll back).
+ */
+export const GET: APIRoute = async ({ request, url, cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  const path = url.searchParams.get('path')
+  const before = url.searchParams.get('before')
+  if (!path) {
+    return Response.json({ error: 'Missing required `path` parameter.' }, { status: 400 })
+  }
+
+  const tokenResult = await resolveGitHubTokenForRequest(request)
+  if (!tokenResult.ok) return new Response(tokenResult.error.message, { status: 500 })
+
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) {
+    return Response.json({ error: 'Could not resolve owner/repo' }, { status: 400 })
+  }
+  const { owner, repo, branch } = storage
+  const perPage = before ? 10 : 5
+
+  // Cache history per (path, before) for 60s — invalidated by rollback.
+  const cacheKey = `history:${owner}/${repo}:${branch}:${path}:${before ?? 'head'}`
+  const commits = await cachedFetch(cacheKey, 60_000, () =>
+    fetchCommits(owner, repo, branch, path, perPage, before, tokenResult.value),
+  )
+
+  if (!commits.ok) {
+    return Response.json({ error: commits.error }, { status: commits.status })
+  }
+  return Response.json({ commits: commits.value })
+}
+
+interface CommitsListSuccess {
+  ok: true
+  value: readonly CommitInfo[]
+}
+interface CommitsListFailure {
+  ok: false
+  status: number
+  error: string
+}
+type CommitsResult = CommitsListSuccess | CommitsListFailure
+
+async function fetchCommits(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  perPage: number,
+  before: string | null,
+  token: string,
+): Promise<CommitsResult> {
+  // GitHub paginates by `?sha=<commit>` — passing `before` as `sha` gets
+  // commits older than (and including) that SHA. We start one before
+  // requested SHA so the same commit doesn't appear twice. The simplest
+  // way: pass sha=<before>, request perPage+1, and skip the first.
+  const sha = before ?? branch
+  const u = new URL(`https://api.github.com/repos/${owner}/${repo}/commits`)
+  u.searchParams.set('path', path)
+  u.searchParams.set('sha', sha)
+  u.searchParams.set('per_page', String(before ? perPage + 1 : perPage))
+
+  const res = await fetch(u, {
+    headers: {
+      Authorization: `Bearer ${token}`,
+      Accept: 'application/vnd.github+json',
+      'X-GitHub-Api-Version': '2022-11-28',
+    },
+  })
+
+  if (res.status === 404) return { ok: true, value: [] }
+  if (!res.ok) {
+    return { ok: false, status: 502, error: `GitHub returned ${res.status}` }
+  }
+
+  const data = (await res.json()) as Array<{
+    sha: string
+    commit: {
+      author: { name: string; email: string; date: string }
+      message: string
+    }
+    author: { avatar_url?: string } | null
+  }>
+
+  // Skip first if we paginated (the `before` SHA itself).
+  const start = before ? 1 : 0
+  const slice = data.slice(start, start + perPage)
+  const commits: CommitInfo[] = slice.map((c) => {
+    const [firstLine, ...rest] = c.commit.message.split('\n')
+    const body = rest.join('\n')
+    return {
+      sha: c.sha,
+      shortSha: c.sha.slice(0, 7),
+      authoredAt: c.commit.author.date,
+      authorName: c.commit.author.name,
+      authorEmail: c.commit.author.email,
+      authorAvatarUrl: c.author?.avatar_url,
+      coAuthors: parseCoAuthorTrailers(body),
+      message: firstLine ?? '',
+      body,
+    }
+  })
+  return { ok: true, value: commits }
+}

package/src/api-routes/section-commit-pending.ts

@@ -1,10 +1,13 @@
 import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
-import { resolveStorageConfigForRequest } from './_storage-config'
+import { resolveStorageConfigForRequest, prefixPath } from './_storage-config'
 import { parseSession, guardPageAccess } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { convertToSetHtml } from '../init/template-patcher-v2'
+import { readPagesMeta } from './_pages-meta-store'
+import { setPageLastModified } from '@setzkasten-cms/core'
 
 /**
  * POST /api/setzkasten/sections/commit-pending
@@ -80,6 +83,45 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       })),
     ]
 
+    // Auto-upgrade plain-text fields to set:html when the user introduces
+    // formatting via the inline RTE. Without this, Astro's `{value}` escapes
+    // tags and the published page shows literal `<strong>…</strong>`. We
+    // detect HTML in any committed string value, fetch the section template,
+    // run convertToSetHtml (idempotent — no-op if already converted), and
+    // include the patched template in the same batch commit.
+    const sectionsWithHtml = [...sections, ...edits]
+      .filter(s => containsHtmlValue(s.content))
+      .map(s => s.key)
+    const projectPrefix = (storage as { projectPrefix?: string }).projectPrefix
+    for (const sectionKey of sectionsWithHtml) {
+      const componentPath = prefixPath(
+        `src/components/sections/${pascalCase(sectionKey)}Section.astro`,
+        projectPrefix ?? '',
+      )
+      if (files.some(f => f.path === componentPath)) continue
+      const original = await fetchFileContent(owner, repo, branch, componentPath, githubToken)
+      if (!original) continue
+      const patched = convertToSetHtml(original)
+      if (patched !== original) {
+        files.push({ path: componentPath, content: patched })
+      }
+    }
+
+    // Fold the recency-meta update into this same batch commit. Previously
+    // we issued a follow-up PUT via recordPageEdit, which produced a second
+    // commit ("chore(meta): update _pages-meta.json") and a second deploy
+    // for every save — visible noise in history and wasted CI minutes.
+    const metaContentPath: string = serverConfig?.storage?.contentPath ?? 'content'
+    const metaTarget = { owner, repo, branch, contentPath: metaContentPath, token: githubToken }
+    const metaSnapshot = await readPagesMeta(metaTarget)
+    if (metaSnapshot.ok) {
+      const nextMeta = setPageLastModified(metaSnapshot.value.meta, pageKey, Date.now())
+      files.push({
+        path: `${metaContentPath}/_pages-meta.json`,
+        content: JSON.stringify(nextMeta, null, 2),
+      })
+    }
+
     const parts: string[] = []
     if (sections.length > 0) {
       const keys = sections.map(s => s.key).join(', ')
@@ -110,14 +152,25 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       )
     }
 
-    // Best-effort recency tracking. Metadata write must not derail the
-    // primary save — surface failures via the trailing return only.
-    const { recordPageEdit } = await import('./_pages-meta-store.js')
-    const metaContentPath: string = serverConfig?.storage?.contentPath ?? 'content'
-    await recordPageEdit(
-      { owner, repo, branch, contentPath: metaContentPath, token: tokenResult.value },
-      pageKey,
-    ).catch(() => {})
+    // Fire content.save webhooks. Best-effort, fire-and-forget — does
+    // not block the response.
+    const { fireWebhooks } = await import('./_webhook-dispatcher.js')
+    const parsedSession = parseSession(cookies.get('setzkasten_session')?.value)
+    void fireWebhooks(
+      'content.save',
+      {
+        website: { id: owner, repo: `${owner}/${repo}`, branch },
+        user: {
+          email: parsedSession?.user?.email ?? 'unknown',
+          name: parsedSession?.user?.name,
+        },
+        commit: { sha: commitResult.sha, message: `Commit on ${pageKey}` },
+        files: sections.map((s: { key: string }) => ({
+          path: `${metaContentPath}/_sections/${s.key}.json`,
+        })),
+      },
+      request,
+    )
 
     return Response.json({ success: true, commitSha: commitResult.sha })
   } catch (error) {
@@ -129,6 +182,52 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
 }
 
+/** Recursively scan a section content tree for any string value containing
+ *  inline HTML markup (a `<` followed by an ASCII letter or `/`). Used to
+ *  decide whether the section template needs upgrading to set:html. */
+function containsHtmlValue(value: unknown): boolean {
+  if (typeof value === 'string') return /<\/?[a-z]/i.test(value)
+  if (Array.isArray(value)) return value.some(containsHtmlValue)
+  if (value && typeof value === 'object') return Object.values(value).some(containsHtmlValue)
+  return false
+}
+
+function pascalCase(input: string): string {
+  return input
+    .split(/[-_\s]+/)
+    .filter(Boolean)
+    .map(s => s.charAt(0).toUpperCase() + s.slice(1))
+    .join('')
+}
+
+async function fetchFileContent(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  token: string,
+): Promise<string | null> {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
+    )
+    if (!res.ok) return null
+    const data = await res.json() as { content: string; encoding: string }
+    return data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  } catch {
+    return null
+  }
+}
+
 async function batchCommit(
   owner: string, repo: string, branch: string,
   files: Array<{ path: string; content: string }>,

package/src/api-routes/section-delete.ts

@@ -90,6 +90,20 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
       pageKey,
     ).catch(() => {})
 
+    // Fire content.delete webhooks (fire-and-forget).
+    const { fireWebhooks } = await import('./_webhook-dispatcher.js')
+    const session = parseSession(cookies.get('setzkasten_session')?.value)
+    void fireWebhooks(
+      'content.delete',
+      {
+        website: { id: owner, repo: `${owner}/${repo}`, branch },
+        user: { email: session?.user?.email ?? 'unknown', name: session?.user?.name },
+        commit: { sha: commitResult.sha, message: `Delete ${sectionKey} from ${pageKey}` },
+        files: [{ path: sectionJsonPath }],
+      },
+      request,
+    )
+
     return Response.json({ success: true, commitSha: commitResult.sha })
   } catch (error) {
     console.error('[setzkasten] section-delete error:', error)

package/src/api-routes/setup-github-app-callback.ts

@@ -27,7 +27,19 @@ export const GET: APIRoute = async ({ url, request, cookies }) => {
     return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } })
   }
 
-  let data: { id: number; slug: string; pem: string } | null = null
+  // GitHub returns a lot more than these five fields (permissions,
+  // events, html_url, …) but these are the only ones we persist for
+  // the wizard. `client_id` + `client_secret` since v1.2: the GH-App
+  // doubles as the OAuth provider for admin login, so the Manifest
+  // exchange replaces what was previously a separate OAuth-App that
+  // the user had to create on github.com/settings/developers.
+  let data: {
+    id: number
+    slug: string
+    pem: string
+    client_id: string
+    client_secret: string
+  } | null = null
   try {
     const response = await fetch(`https://api.github.com/app-manifests/${code}/conversions`, {
       method: 'POST',
@@ -45,7 +57,13 @@ export const GET: APIRoute = async ({ url, request, cookies }) => {
   // Response.redirect() is immutable and blocks subsequent header writes.
   cookies.set(
     COOKIE_NAME,
-    JSON.stringify({ appId: String(data!.id), slug: data!.slug, privateKey: data!.pem }),
+    JSON.stringify({
+      appId: String(data!.id),
+      slug: data!.slug,
+      privateKey: data!.pem,
+      clientId: data!.client_id,
+      clientSecret: data!.client_secret,
+    }),
     { httpOnly: false, sameSite: 'lax', maxAge: COOKIE_MAX_AGE, path: '/' },
   )
 

package/src/api-routes/updater-register.ts

@@ -1,5 +1,23 @@
 import type { APIRoute } from 'astro'
 
+// Vite-define injected by @setzkasten-cms/astro at build time. Available
+// in API-only Vercel cold-starts where the page-ssr injectScript that
+// writes globalThis.__SETZKASTEN_CONFIG__ does not fire.
+declare const __SETZKASTEN_BUILD_CONFIG__: {
+  adminPath?: string
+  updaterUrl?: string
+  version?: string
+  websiteUrl?: string
+  hasGitHub?: boolean
+  storage?: {
+    owner?: string
+    repo?: string
+    branch?: string
+    contentPath?: string
+    assetsPath?: string
+  }
+} | null | undefined
+
 /**
  * Registers this Setzkasten instance with the central updater backend.
  * Called on every Dashboard load. Returns update status and license tier.
@@ -15,12 +33,23 @@ export const POST: APIRoute = async ({ cookies, request }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as {
+  // Two layers: the page-ssr injectScript writes __SETZKASTEN_CONFIG__ on
+  // globalThis (only fires for SSR-rendered pages). The Vite-define
+  // __SETZKASTEN_BUILD_CONFIG__ ships the same shape baked into the bundle
+  // and is therefore visible in API-only Vercel cold-starts where the
+  // injectScript never runs. We prefer the runtime globalThis value (it
+  // can pick up later overrides) but fall back to the build constant.
+  type ConfigShape = {
     updaterUrl?: string
     version?: string
     websiteUrl?: string
     storage?: { owner?: string; repo?: string }
-  } | undefined
+  }
+  const buildConfig = (typeof __SETZKASTEN_BUILD_CONFIG__ !== 'undefined'
+    ? __SETZKASTEN_BUILD_CONFIG__
+    : null) as ConfigShape | null
+  const runtimeConfig = (globalThis as any).__SETZKASTEN_CONFIG__ as ConfigShape | undefined
+  const config: ConfigShape | null = runtimeConfig ?? buildConfig
 
   const currentVersion = config?.version ?? '0.0.0'
   const updaterUrl = config?.updaterUrl

package/src/api-routes/webhooks-status.ts

@@ -0,0 +1,17 @@
+import type { APIRoute } from 'astro'
+import { requireAdmin } from './_auth-guard'
+import { getWebhookStatus } from './_webhook-status-store'
+
+/**
+ * GET /api/setzkasten/webhooks/status
+ *
+ * Returns the in-memory status map (lastFiredAt + lastStatus per webhook
+ * id). Empty for cold-started instances; the UI handles that gracefully
+ * with "noch nie gefeuert".
+ */
+export const GET: APIRoute = async ({ cookies }) => {
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
+
+  return Response.json({ status: getWebhookStatus() })
+}