@setzkasten-cms/astro-admin 1.4.0 → 1.4.1

package/dist/api-routes/_websites-store.js

@@ -0,0 +1,11 @@
+import {
+  readWebsitesRegistryFromGitHub,
+  resolveConfigRepoTargetFromGlobals,
+  writeWebsitesRegistryToGitHub
+} from "../chunk-35S35OIV.js";
+import "../chunk-KH22FJO5.js";
+export {
+  readWebsitesRegistryFromGitHub,
+  resolveConfigRepoTargetFromGlobals,
+  writeWebsitesRegistryToGitHub
+};

package/dist/api-routes/asset-proxy.d.ts

@@ -0,0 +1,12 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Asset proxy – serves images from the private GitHub repo.
+ * Used by the admin UI to display image thumbnails without exposing the GitHub token.
+ *
+ * GET /api/setzkasten/asset/public/images/about/LP_Logo.png
+ * → fetches from GitHub API and returns the raw binary with correct Content-Type.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/asset-proxy.js

@@ -0,0 +1,67 @@
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+
+// src/api-routes/asset-proxy.ts
+var GET = async ({ params, request, cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const assetPath = params.path;
+  if (!assetPath) {
+    return new Response("Missing path", { status: 400 });
+  }
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 });
+  }
+  const githubToken = tokenResult.value;
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  if (!config?.storage) {
+    return new Response("Storage not configured", { status: 500 });
+  }
+  const { owner, repo, branch } = config.storage;
+  const githubUrl = `https://api.github.com/repos/${owner}/${repo}/contents/${assetPath}?ref=${branch}`;
+  try {
+    const response = await fetch(githubUrl, {
+      headers: {
+        Authorization: `Bearer ${githubToken}`,
+        Accept: "application/vnd.github.raw+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    });
+    if (!response.ok) {
+      return new Response("Asset not found", { status: response.status });
+    }
+    const contentType = guessMimeType(assetPath);
+    const body = await response.arrayBuffer();
+    return new Response(body, {
+      status: 200,
+      headers: {
+        "Content-Type": contentType,
+        "Cache-Control": "private, max-age=300"
+      }
+    });
+  } catch (error) {
+    console.error("[setzkasten] Asset proxy error:", error);
+    return new Response("Failed to fetch asset", { status: 502 });
+  }
+};
+function guessMimeType(path) {
+  const ext = path.split(".").pop()?.toLowerCase();
+  const types = {
+    jpg: "image/jpeg",
+    jpeg: "image/jpeg",
+    png: "image/png",
+    gif: "image/gif",
+    webp: "image/webp",
+    avif: "image/avif",
+    svg: "image/svg+xml",
+    pdf: "application/pdf"
+  };
+  return types[ext ?? ""] ?? "application/octet-stream";
+}
+export {
+  GET
+};

package/dist/api-routes/auth-callback.d.ts

@@ -0,0 +1,9 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GitHub OAuth callback handler.
+ * Google uses the GIS flow (POST /api/setzkasten/auth/google) — no callback needed there.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/auth-callback.js

@@ -0,0 +1,68 @@
+import {
+  sessionCookieOptions
+} from "../chunk-JHY6XTLL.js";
+import {
+  makeRoleResolver
+} from "../chunk-ZQDGGWJP.js";
+import "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/auth-callback.ts
+import { createGitHubAuth } from "@setzkasten-cms/auth";
+var GET = async ({ request, url, cookies, redirect }) => {
+  const code = url.searchParams.get("code");
+  const state = url.searchParams.get("state");
+  if (!code) {
+    return new Response("Missing authorization code", { status: 400 });
+  }
+  const storedRaw = cookies.get("setzkasten_oauth_state")?.value;
+  let storedState;
+  if (storedRaw) {
+    try {
+      storedState = JSON.parse(storedRaw).state;
+    } catch {
+      storedState = storedRaw;
+    }
+  }
+  if (!storedState || state !== storedState) {
+    return new Response("Invalid state parameter", { status: 400 });
+  }
+  cookies.delete("setzkasten_oauth_state", { path: "/" });
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  const adminPath = config?.adminPath ?? "/admin";
+  const host = request.headers.get("x-forwarded-host") ?? request.headers.get("host") ?? url.host;
+  const protocol = request.headers.get("x-forwarded-proto") ?? (url.protocol === "https:" ? "https" : "http");
+  const redirectUri = `${protocol}://${host}/api/setzkasten/auth/callback`;
+  const allowedEmailsRaw = import.meta.env.SETZKASTEN_ALLOWED_EMAILS ?? process.env.SETZKASTEN_ALLOWED_EMAILS ?? "";
+  const allowedEmails = allowedEmailsRaw ? allowedEmailsRaw.split(",").map((e) => e.trim()) : void 0;
+  const auth = createGitHubAuth({
+    clientId: import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? "",
+    clientSecret: import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? "",
+    redirectUri,
+    allowedEmails,
+    resolveRole: makeRoleResolver("github", allowedEmails)
+  });
+  try {
+    const sessionResult = await auth.handleCallback(code);
+    if (!sessionResult.ok) {
+      return new Response(`Authentication failed: ${sessionResult.error.message}`, { status: 403 });
+    }
+    const session = sessionResult.value;
+    cookies.set(
+      "setzkasten_session",
+      JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+      sessionCookieOptions(import.meta.env.PROD)
+    );
+    return redirect(adminPath);
+  } catch {
+    return new Response("Authentication failed", { status: 500 });
+  }
+};
+export {
+  GET
+};

package/dist/api-routes/auth-login.d.ts

@@ -0,0 +1,11 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Login initiation – redirects the user to GitHub OAuth.
+ * Google uses GIS (POST /api/setzkasten/auth/google) instead of this redirect flow.
+ *
+ * GET /api/setzkasten/auth/login?provider=github
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/auth-login.js

@@ -0,0 +1,27 @@
+// src/api-routes/auth-login.ts
+import { createGitHubAuth } from "@setzkasten-cms/auth";
+var GET = async ({ request, url, cookies, redirect }) => {
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  const host = request.headers.get("x-forwarded-host") ?? request.headers.get("host") ?? url.host;
+  const protocol = request.headers.get("x-forwarded-proto") ?? (url.protocol === "https:" ? "https" : "http");
+  const origin = `${protocol}://${host}`;
+  const redirectUri = `${origin}/api/setzkasten/auth/callback`;
+  const ghClientId = import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? "";
+  const ghClientSecret = import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? "";
+  if (!ghClientId || !ghClientSecret) {
+    return new Response("GitHub OAuth not configured", { status: 500 });
+  }
+  const auth = createGitHubAuth({ clientId: ghClientId, clientSecret: ghClientSecret, redirectUri });
+  const { url: loginUrl, state } = auth.getLoginUrl();
+  cookies.set("setzkasten_oauth_state", JSON.stringify({ state, provider: "github" }), {
+    httpOnly: true,
+    secure: true,
+    sameSite: "lax",
+    path: "/",
+    maxAge: 600
+  });
+  return redirect(loginUrl);
+};
+export {
+  GET
+};

package/dist/api-routes/auth-logout.d.ts

@@ -0,0 +1,10 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Logout – clears the session cookie and redirects to home.
+ * Mirrors the same `domain` attribute used when the cookie was set so the
+ * browser actually deletes it on subdomains in standalone-admin setups.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/auth-logout.js

@@ -0,0 +1,13 @@
+import {
+  sessionCookieOptions
+} from "../chunk-JHY6XTLL.js";
+
+// src/api-routes/auth-logout.ts
+var GET = async ({ cookies, redirect }) => {
+  const opts = sessionCookieOptions(false);
+  cookies.delete("setzkasten_session", { path: "/", domain: opts.domain });
+  return redirect("/");
+};
+export {
+  GET
+};

package/dist/api-routes/auth-session.d.ts

@@ -0,0 +1,9 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Session check – returns current user info or 401.
+ * Used by the admin SPA to check if the user is logged in.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/auth-session.js

@@ -0,0 +1,31 @@
+// src/api-routes/auth-session.ts
+var GET = async ({ cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) {
+    return new Response(JSON.stringify({ authenticated: false }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  try {
+    const parsed = JSON.parse(session);
+    if (parsed.expiresAt < Date.now()) {
+      cookies.delete("setzkasten_session", { path: "/" });
+      return new Response(JSON.stringify({ authenticated: false, reason: "expired" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+    return new Response(JSON.stringify({ authenticated: true, user: parsed.user }), {
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch {
+    return new Response(JSON.stringify({ authenticated: false }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+};
+export {
+  GET
+};

package/dist/api-routes/auth-setzkasten-login.d.ts

@@ -0,0 +1,18 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/auth/setzkasten-login
+ * Body: { idToken: string }  — Firebase ID token from signInWithPopup
+ *
+ * Verifies the Firebase JWT against Firebase's public JWKS (no secret needed).
+ * Access is gated exclusively by _editors.json (fail-closed).
+ *
+ * Editors live in the build-time-configured repo regardless of which website
+ * the request is targeting — in single-mode that's the website's repo, in
+ * multi-mode it's the config-repo. The per-request resolver and X-SK-Website
+ * header are intentionally NOT consulted here, because login predates any
+ * website selection.
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/auth-setzkasten-login.js

@@ -0,0 +1,74 @@
+import {
+  readGlobalConfig
+} from "../chunk-AM4DZXXM.js";
+import {
+  sessionCookieOptions
+} from "../chunk-JHY6XTLL.js";
+import {
+  makeRoleResolver
+} from "../chunk-ZQDGGWJP.js";
+import {
+  readEditorsFile
+} from "../chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfig
+} from "../chunk-6UIKVKED.js";
+import {
+  gateFeature
+} from "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import {
+  resolveConfigRepoToken
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/auth-setzkasten-login.ts
+import { verifyFirebaseJwt } from "@setzkasten-cms/auth";
+var POST = async ({ request, cookies }) => {
+  const gate = gateFeature("google-auth");
+  if (gate) return gate;
+  const body = await request.json().catch(() => null);
+  const idToken = body?.idToken;
+  if (!idToken) {
+    return new Response("Missing idToken", { status: 400 });
+  }
+  const storage = resolveStorageConfig();
+  if (!storage) {
+    return new Response("Storage not configured", { status: 500 });
+  }
+  const { owner, repo, branch } = storage;
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const contentPath = serverConfig?.storage?.contentPath ?? "content";
+  const tokenResult = await resolveConfigRepoToken();
+  if (!tokenResult.ok) {
+    return new Response(`GitHub token unavailable: ${tokenResult.error.message}`, { status: 503 });
+  }
+  const globalCfg = await readGlobalConfig().catch(() => null);
+  if (!globalCfg?.firebaseConfig) {
+    return new Response("SetzKastenLogin not configured", { status: 500 });
+  }
+  const editors = await readEditorsFile(owner, repo, branch, contentPath, tokenResult.value);
+  if (editors === null) {
+    return new Response("Editors list unavailable \u2014 no access granted", { status: 503 });
+  }
+  const allowedEmails = editors.map((e) => e.email);
+  const result = await verifyFirebaseJwt(
+    idToken,
+    allowedEmails,
+    makeRoleResolver("google", allowedEmails)
+  );
+  if (!result.ok) {
+    return new Response(result.error.message, { status: 403 });
+  }
+  const session = result.value;
+  cookies.set(
+    "setzkasten_session",
+    JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+    sessionCookieOptions(import.meta.env.PROD)
+  );
+  return Response.json({ ok: true });
+};
+export {
+  POST
+};

package/dist/api-routes/catalog-add.d.ts

@@ -0,0 +1,14 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/catalog/add
+ *
+ * Adds a catalog template to a page:
+ * - Creates content JSON with template's defaultContent (_sections/{key}.json)
+ * - Appends new entry to the page config (pages/_{pageKey}.json)
+ *
+ * Body: { templateName, pageKey, sectionKey? (override), owner?, repo?, branch?, contentPath? }
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/catalog-add.js

@@ -0,0 +1,153 @@
+import {
+  addToPageConfig,
+  generateAddKey
+} from "../chunk-GHNK2GFE.js";
+import {
+  buildCatalogAddCommit,
+  validateCatalogAddBody
+} from "../chunk-GRG3LNKH.js";
+import {
+  guardPageAccess,
+  parseSession
+} from "../chunk-INIWFKQ3.js";
+import {
+  prefixPath,
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import {
+  withTrailers
+} from "../chunk-KH22FJO5.js";
+
+// src/api-routes/catalog-add.ts
+import { registry } from "@setzkasten-cms/catalog";
+var POST = async ({ request, cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 });
+  }
+  const githubToken = tokenResult.value;
+  try {
+    const body = await request.json();
+    let validated;
+    try {
+      validated = validateCatalogAddBody(body);
+    } catch (e) {
+      return Response.json({ error: e instanceof Error ? e.message : "Invalid request" }, { status: 400 });
+    }
+    const { templateName, pageKey } = validated;
+    const storage = await resolveStorageConfigForRequest(request, body);
+    if (!storage) return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+    const { owner, repo, branch, projectPrefix } = storage;
+    const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+    const fullConfig = globalThis.__SETZKASTEN_FULL_CONFIG__;
+    const contentPath = body.contentPath || serverConfig?.storage?.contentPath || "content";
+    const denied = await guardPageAccess(parseSession(cookies.get("setzkasten_session")?.value), pageKey, fullConfig, request);
+    if (denied) return denied;
+    const headers = {
+      Authorization: `Bearer ${githubToken}`,
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28",
+      "Content-Type": "application/json"
+    };
+    const configKey = "_" + pageKey.replace(/\//g, "_");
+    const rawPageConfigPath = `${contentPath}/pages/${configKey}.json`;
+    const pageConfigPath = prefixPath(rawPageConfigPath, projectPrefix);
+    const pageConfigRaw = await fetchFileContent(owner, repo, branch, pageConfigPath, githubToken);
+    if (!pageConfigRaw) return Response.json({ error: "Page config not found" }, { status: 404 });
+    const pageConfig = JSON.parse(pageConfigRaw);
+    const existingKeys = (pageConfig.sections ?? []).map((s) => s.key);
+    const sectionKey = validated.sectionKey ?? generateAddKey(existingKeys, templateName);
+    if (existingKeys.includes(sectionKey)) {
+      return Response.json({ error: `Key "${sectionKey}" already exists on this page` }, { status: 409 });
+    }
+    const template = registry.get(templateName);
+    const { sectionJsonPath } = buildCatalogAddCommit({
+      contentPath,
+      projectPrefix,
+      pageKey,
+      sectionKey,
+      templateName,
+      pageConfigPath: rawPageConfigPath
+    });
+    const updatedConfig = addToPageConfig(pageConfig, sectionKey, templateName);
+    const commitResult = await batchCommit(
+      owner,
+      repo,
+      branch,
+      [
+        { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) },
+        { path: sectionJsonPath, content: JSON.stringify(template.defaultContent, null, 2) }
+      ],
+      withTrailers(
+        `content: add catalog template "${templateName}" as "${sectionKey}" to ${pageKey}`,
+        parseSession(cookies.get("setzkasten_session")?.value)?.user?.email
+      ),
+      headers
+    );
+    if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 });
+    return Response.json({ success: true, sectionKey, commitSha: commitResult.sha });
+  } catch (error) {
+    console.error("[setzkasten] catalog-add error:", error);
+    return Response.json(
+      { error: error instanceof Error ? error.message : "Catalog add failed" },
+      { status: 500 }
+    );
+  }
+};
+async function fetchFileContent(owner, repo, branch, path, token) {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+  } catch {
+    return null;
+  }
+}
+async function batchCommit(owner, repo, branch, files, message, headers) {
+  try {
+    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers });
+    if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` };
+    const { object: { sha: headSha } } = await refRes.json();
+    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers });
+    if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` };
+    const { tree: { sha: baseSha } } = await commitRes.json();
+    const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({ base_tree: baseSha, tree: files.map((f) => ({ path: f.path, mode: "100644", type: "blob", content: f.content })) })
+    });
+    if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` };
+    const { sha: treeSha } = await treeRes.json();
+    const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({ tree: treeSha, parents: [headSha], message })
+    });
+    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
+    const { sha: newSha } = await newCommitRes.json();
+    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
+      method: "PATCH",
+      headers,
+      body: JSON.stringify({ sha: newSha })
+    });
+    if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` };
+    return { ok: true, sha: newSha };
+  } catch (error) {
+    return { ok: false, error: error instanceof Error ? error.message : "Commit failed" };
+  }
+}
+export {
+  POST
+};

package/dist/api-routes/catalog-export.d.ts

@@ -0,0 +1,13 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/catalog/export
+ *
+ * Exports a managed section as a `.setzkasten-template` JSON string.
+ * The caller can save this to a file or upload it to a shared catalog.
+ *
+ * Body: { sectionKey, owner?, repo?, branch?, contentPath? }
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/catalog-export.js

@@ -0,0 +1,71 @@
+import {
+  prefixPath,
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+
+// src/api-routes/catalog-export.ts
+import { exportTemplate } from "@setzkasten-cms/catalog";
+var POST = async ({ request, cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 });
+  }
+  const githubToken = tokenResult.value;
+  try {
+    const body = await request.json();
+    if (!body.sectionKey) {
+      return Response.json({ error: "sectionKey is required" }, { status: 400 });
+    }
+    const storage = await resolveStorageConfigForRequest(request, body);
+    if (!storage) return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+    const { owner, repo, branch, projectPrefix } = storage;
+    const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+    const fullConfig = globalThis.__SETZKASTEN_FULL_CONFIG__;
+    const contentPath = body.contentPath || serverConfig?.storage?.contentPath || "content";
+    const { sectionKey } = body;
+    const sectionJsonPath = prefixPath(`${contentPath}/_sections/${sectionKey}.json`, projectPrefix);
+    const contentRaw = await fetchFileContent(owner, repo, branch, sectionJsonPath, githubToken);
+    if (!contentRaw) return Response.json({ error: `Section content not found: ${sectionKey}` }, { status: 404 });
+    const content = JSON.parse(contentRaw);
+    const sectionDef = findSectionDef(fullConfig, sectionKey);
+    if (!sectionDef) {
+      return Response.json({ error: `Section definition not found for key: ${sectionKey}` }, { status: 404 });
+    }
+    const templateJson = exportTemplate(sectionKey, sectionDef, content);
+    return Response.json({ success: true, template: templateJson });
+  } catch (error) {
+    console.error("[setzkasten] catalog-export error:", error);
+    return Response.json(
+      { error: error instanceof Error ? error.message : "Export failed" },
+      { status: 500 }
+    );
+  }
+};
+function findSectionDef(fullConfig, sectionKey) {
+  if (!fullConfig?.products) return null;
+  for (const product of Object.values(fullConfig.products)) {
+    if (product?.sections?.[sectionKey]) return product.sections[sectionKey];
+  }
+  return null;
+}
+async function fetchFileContent(owner, repo, branch, path, token) {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+  } catch {
+    return null;
+  }
+}
+export {
+  POST
+};

package/dist/api-routes/catalog-helpers.d.ts

@@ -0,0 +1,41 @@
+import * as _setzkasten_cms_catalog from '@setzkasten-cms/catalog';
+
+/**
+ * Pure helper functions for catalog API routes.
+ * No GitHub API, no Astro runtime — fully unit-testable.
+ */
+/** Returns the full catalog list (all built-in templates) for the API response. */
+declare function buildCatalogResponse(): _setzkasten_cms_catalog.TemplateFile[];
+interface CatalogAddBody {
+    templateName?: unknown;
+    pageKey?: unknown;
+    sectionKey?: unknown;
+    [key: string]: unknown;
+}
+/**
+ * Validates the request body for POST /api/setzkasten/catalog/add.
+ * Throws with a descriptive message on any validation error.
+ */
+declare function validateCatalogAddBody(body: CatalogAddBody): {
+    templateName: string;
+    pageKey: string;
+    sectionKey?: string;
+};
+interface CatalogAddCommitOpts {
+    contentPath: string;
+    projectPrefix: string;
+    pageKey: string;
+    sectionKey: string;
+    templateName: string;
+    pageConfigPath: string;
+}
+interface CatalogAddCommitPaths {
+    sectionJsonPath: string;
+    pageConfigPath: string;
+}
+/**
+ * Builds the file paths that need to be committed when adding a catalog template to a page.
+ */
+declare function buildCatalogAddCommit(opts: CatalogAddCommitOpts): CatalogAddCommitPaths;
+
+export { type CatalogAddBody, type CatalogAddCommitOpts, type CatalogAddCommitPaths, buildCatalogAddCommit, buildCatalogResponse, validateCatalogAddBody };