@setzkasten-cms/astro-admin 1.4.0 → 1.4.1

package/dist/api-routes/section-duplicate.d.ts

@@ -0,0 +1,15 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/sections/duplicate
+ *
+ * Duplicates a section within a page:
+ * - Copies the content JSON to a new key (_sections/{newKey}.json)
+ * - Inserts new entry after the original in the page config
+ * - New key is auto-generated: hero → hero--copy → hero--copy2 …
+ *
+ * Body: { pageKey, sectionKey, owner?, repo?, branch?, contentPath? }
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/section-duplicate.js

@@ -0,0 +1,143 @@
+import {
+  duplicateInPageConfig,
+  generateDuplicateKey
+} from "../chunk-GHNK2GFE.js";
+import {
+  guardPageAccess,
+  parseSession
+} from "../chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import {
+  withTrailers
+} from "../chunk-KH22FJO5.js";
+
+// src/api-routes/section-duplicate.ts
+var POST = async ({ request, cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 });
+  }
+  const githubToken = tokenResult.value;
+  try {
+    const body = await request.json();
+    const storage = await resolveStorageConfigForRequest(request, body);
+    if (!storage) return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+    const { owner, repo, branch, projectPrefix } = storage;
+    const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+    const fullConfig = globalThis.__SETZKASTEN_FULL_CONFIG__;
+    const contentPath = body.contentPath || serverConfig?.storage?.contentPath || "content";
+    const { pageKey, sectionKey } = body;
+    if (!pageKey || !sectionKey) {
+      return Response.json({ error: "pageKey and sectionKey are required" }, { status: 400 });
+    }
+    const denied = await guardPageAccess(parseSession(cookies.get("setzkasten_session")?.value), pageKey, fullConfig, request);
+    if (denied) return denied;
+    const headers = {
+      Authorization: `Bearer ${githubToken}`,
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28",
+      "Content-Type": "application/json"
+    };
+    const configKey = "_" + pageKey.replace(/\//g, "_");
+    const pageConfigPath = `${contentPath}/pages/${configKey}.json`;
+    const pageConfigRaw = await fetchFileContent(owner, repo, branch, pageConfigPath, githubToken);
+    if (!pageConfigRaw) return Response.json({ error: "Page config not found" }, { status: 404 });
+    const pageConfig = JSON.parse(pageConfigRaw);
+    const existingKeys = (pageConfig.sections ?? []).map((s) => s.key);
+    const newKey = generateDuplicateKey(existingKeys, sectionKey);
+    const originalJsonPath = `${contentPath}/_sections/${sectionKey}.json`;
+    const originalContent = await fetchFileContent(owner, repo, branch, originalJsonPath, githubToken);
+    const updatedConfig = duplicateInPageConfig(pageConfig, sectionKey, newKey);
+    const filesToCommit = [
+      { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) }
+    ];
+    if (originalContent) {
+      const copyPath = `${contentPath}/_sections/${newKey}.json`;
+      filesToCommit.push({ path: copyPath, content: originalContent });
+    }
+    const commitResult = await batchCommit(
+      owner,
+      repo,
+      branch,
+      filesToCommit,
+      withTrailers(
+        `content: duplicate ${sectionKey} \u2192 ${newKey} on ${pageKey}`,
+        parseSession(cookies.get("setzkasten_session")?.value)?.user?.email
+      ),
+      headers
+    );
+    if (!commitResult.ok) return Response.json({ error: commitResult.error }, { status: 500 });
+    const { recordPageEdit } = await import("./_pages-meta-store.js");
+    await recordPageEdit(
+      { owner, repo, branch, contentPath, token: tokenResult.value },
+      pageKey
+    ).catch(() => {
+    });
+    return Response.json({ success: true, newKey, commitSha: commitResult.sha });
+  } catch (error) {
+    console.error("[setzkasten] section-duplicate error:", error);
+    return Response.json(
+      { error: error instanceof Error ? error.message : "Duplicate failed" },
+      { status: 500 }
+    );
+  }
+};
+async function fetchFileContent(owner, repo, branch, path, token) {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+  } catch {
+    return null;
+  }
+}
+async function batchCommit(owner, repo, branch, files, message, headers) {
+  try {
+    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers });
+    if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` };
+    const { object: { sha: headSha } } = await refRes.json();
+    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers });
+    if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` };
+    const { tree: { sha: baseSha } } = await commitRes.json();
+    const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({ base_tree: baseSha, tree: files.map((f) => ({ path: f.path, mode: "100644", type: "blob", content: f.content })) })
+    });
+    if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` };
+    const { sha: treeSha } = await treeRes.json();
+    const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({ tree: treeSha, parents: [headSha], message })
+    });
+    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
+    const { sha: newSha } = await newCommitRes.json();
+    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
+      method: "PATCH",
+      headers,
+      body: JSON.stringify({ sha: newSha })
+    });
+    if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` };
+    return { ok: true, sha: newSha };
+  } catch (error) {
+    return { ok: false, error: error instanceof Error ? error.message : "Commit failed" };
+  }
+}
+export {
+  POST
+};

package/dist/api-routes/section-management.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Pure helper functions for section delete and duplicate operations.
+ * No GitHub API — callers handle storage.
+ */
+interface SectionEntry {
+    key: string;
+    type?: string;
+    enabled?: boolean;
+    order?: number;
+    [key: string]: unknown;
+}
+interface PageConfig {
+    sections: SectionEntry[];
+    [key: string]: unknown;
+}
+/**
+ * Removes a section from the page config and re-numbers order.
+ */
+declare function removeFromPageConfig(config: PageConfig, sectionKey: string): PageConfig;
+/**
+ * Generates a unique duplicate key for a section.
+ * 'hero' → 'hero--copy', then 'hero--copy2', 'hero--copy3', ...
+ */
+declare function generateDuplicateKey(existingKeys: string[], originalKey: string): string;
+/**
+ * Generates a unique key for a new section of a given type.
+ * 'hero' → 'hero' (if free), then 'hero--2', 'hero--3', ...
+ */
+declare function generateAddKey(existingKeys: string[], type: string): string;
+/**
+ * Appends a new section entry at the end of the page config.
+ * Sets `type` only when key differs from type (multi-instance case).
+ */
+declare function addToPageConfig(config: PageConfig, key: string, type: string): PageConfig;
+/**
+ * Inserts a duplicate entry immediately after the original in the page config.
+ * The copy is always enabled. Order is re-numbered.
+ */
+declare function duplicateInPageConfig(config: PageConfig, originalKey: string, newKey: string): PageConfig;
+
+export { addToPageConfig, duplicateInPageConfig, generateAddKey, generateDuplicateKey, removeFromPageConfig };

package/dist/api-routes/section-management.js

@@ -0,0 +1,14 @@
+import {
+  addToPageConfig,
+  duplicateInPageConfig,
+  generateAddKey,
+  generateDuplicateKey,
+  removeFromPageConfig
+} from "../chunk-GHNK2GFE.js";
+export {
+  addToPageConfig,
+  duplicateInPageConfig,
+  generateAddKey,
+  generateDuplicateKey,
+  removeFromPageConfig
+};

package/dist/api-routes/section-prepare-copy.d.ts

@@ -0,0 +1,25 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/sections/prepare-copy
+ *
+ * Prepares a deferred duplicate of an existing section:
+ * - Reads the original section content from GitHub
+ * - Generates a unique copy key (hero → hero--copy → hero--copy2 …)
+ * - Returns { key, type, content, updatedPageConfig } WITHOUT committing
+ *
+ * The client uses this to update local state + preview draft immediately.
+ * Only committed to GitHub when the user presses "Live setzen".
+ *
+ * Note: this route intentionally does NOT call recordPageEdit. The
+ * page-recency spec lists it as a "mutating route", but in practice it
+ * only reads and returns — the real GitHub commit happens later in
+ * commit-pending, which records the edit. Bumping the timestamp here
+ * would mark a page as recently-modified even when the user opens the
+ * duplicate dialog and then cancels without committing.
+ *
+ * Body: { pageKey, sectionKey, owner?, repo?, branch?, contentPath? }
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/section-prepare-copy.js

@@ -0,0 +1,69 @@
+import {
+  duplicateInPageConfig,
+  generateDuplicateKey
+} from "../chunk-GHNK2GFE.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+
+// src/api-routes/section-prepare-copy.ts
+var POST = async ({ request, cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 });
+  }
+  const githubToken = tokenResult.value;
+  try {
+    const body = await request.json();
+    const storage = await resolveStorageConfigForRequest(request, body);
+    if (!storage) return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+    const { owner, repo, branch } = storage;
+    const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+    const contentPath = body.contentPath || serverConfig?.storage?.contentPath || "content";
+    const { pageKey, sectionKey } = body;
+    if (!pageKey || !sectionKey) {
+      return Response.json({ error: "pageKey and sectionKey are required" }, { status: 400 });
+    }
+    const configKey = "_" + pageKey.replace(/\//g, "_");
+    const pageConfigPath = `${contentPath}/pages/${configKey}.json`;
+    const pageConfigRaw = await fetchFileContent(owner, repo, branch, pageConfigPath, githubToken);
+    if (!pageConfigRaw) return Response.json({ error: "Page config not found" }, { status: 404 });
+    const pageConfig = JSON.parse(pageConfigRaw);
+    const existingKeys = (pageConfig.sections ?? []).map((s) => s.key);
+    const newKey = generateDuplicateKey(existingKeys, sectionKey);
+    const originalJsonPath = `${contentPath}/_sections/${sectionKey}.json`;
+    const originalRaw = await fetchFileContent(owner, repo, branch, originalJsonPath, githubToken);
+    const content = originalRaw ? JSON.parse(originalRaw) : {};
+    const originalEntry = (pageConfig.sections ?? []).find((s) => s.key === sectionKey);
+    const type = originalEntry?.type ?? sectionKey;
+    const updatedPageConfig = duplicateInPageConfig(pageConfig, sectionKey, newKey);
+    return Response.json({ key: newKey, type, content, updatedPageConfig });
+  } catch (error) {
+    console.error("[setzkasten] section-prepare-copy error:", error);
+    return Response.json(
+      { error: error instanceof Error ? error.message : "Prepare copy failed" },
+      { status: 500 }
+    );
+  }
+};
+async function fetchFileContent(owner, repo, branch, path, token) {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+  } catch {
+    return null;
+  }
+}
+export {
+  POST
+};

package/dist/api-routes/section-prepare.d.ts

@@ -0,0 +1,18 @@
+import { APIRoute } from 'astro';
+
+/**
+ * POST /api/setzkasten/sections/prepare
+ *
+ * Prepares a new section for optimistic/deferred addition:
+ * - Generates a unique key for the given sectionType
+ * - Builds default content from schema (NO GitHub commit)
+ * - Returns { key, type, defaultContent, updatedPageConfig }
+ *
+ * The client uses this to update local state + preview draft immediately,
+ * and only commits to GitHub when the user explicitly saves ("Seite speichern").
+ *
+ * Body: { pageKey, sectionType, owner?, repo?, branch?, contentPath? }
+ */
+declare const POST: APIRoute;
+
+export { POST };

package/dist/api-routes/section-prepare.js

@@ -0,0 +1,104 @@
+import {
+  generateAddKey
+} from "../chunk-GHNK2GFE.js";
+import {
+  guardPageAccess,
+  parseSession
+} from "../chunk-INIWFKQ3.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/section-prepare.ts
+var POST = async ({ request, cookies }) => {
+  const session = cookies.get("setzkasten_session")?.value;
+  if (!session) return new Response("Unauthorized", { status: 401 });
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) {
+    return new Response(tokenResult.error.message, { status: 500 });
+  }
+  const githubToken = tokenResult.value;
+  try {
+    const body = await request.json();
+    const storage = await resolveStorageConfigForRequest(request, body);
+    if (!storage) return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
+    const { owner, repo, branch } = storage;
+    const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+    const fullConfig = globalThis.__SETZKASTEN_FULL_CONFIG__;
+    const contentPath = body.contentPath || serverConfig?.storage?.contentPath || "content";
+    const { pageKey, sectionType } = body;
+    if (!pageKey || !sectionType) {
+      return Response.json({ error: "pageKey and sectionType are required" }, { status: 400 });
+    }
+    const denied = await guardPageAccess(parseSession(cookies.get("setzkasten_session")?.value), pageKey, fullConfig, request);
+    if (denied) return denied;
+    const configKey = "_" + pageKey.replace(/\//g, "_");
+    const pageConfigPath = `${contentPath}/pages/${configKey}.json`;
+    const pageConfigRaw = await fetchFileContent(owner, repo, branch, pageConfigPath, githubToken);
+    if (!pageConfigRaw) return Response.json({ error: "Page config not found" }, { status: 404 });
+    const pageConfig = JSON.parse(pageConfigRaw);
+    const existingKeys = (pageConfig.sections ?? []).map((s) => s.key);
+    const newKey = generateAddKey(existingKeys, sectionType);
+    const sectionDef = findSectionDef(fullConfig, sectionType);
+    const defaultContent = sectionDef ? buildDefaultContent(sectionDef.fields ?? {}) : {};
+    const newEntry = {
+      key: newKey,
+      enabled: true,
+      order: pageConfig.sections.length,
+      ...newKey !== sectionType ? { type: sectionType } : {}
+    };
+    const updatedPageConfig = {
+      ...pageConfig,
+      sections: [...pageConfig.sections ?? [], newEntry]
+    };
+    return Response.json({
+      key: newKey,
+      type: sectionType,
+      defaultContent,
+      updatedPageConfig
+    });
+  } catch (error) {
+    console.error("[setzkasten] section-prepare error:", error);
+    return Response.json(
+      { error: error instanceof Error ? error.message : "Prepare failed" },
+      { status: 500 }
+    );
+  }
+};
+function findSectionDef(fullConfig, sectionType) {
+  if (!fullConfig?.products) return null;
+  for (const product of Object.values(fullConfig.products)) {
+    if (product?.sections?.[sectionType]) return product.sections[sectionType];
+  }
+  return null;
+}
+function buildDefaultContent(fields) {
+  const result = {};
+  for (const [key, field] of Object.entries(fields)) {
+    if (field.defaultValue !== void 0) result[key] = field.defaultValue;
+  }
+  return result;
+}
+async function fetchFileContent(owner, repo, branch, path, token) {
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
+      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+    );
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+  } catch {
+    return null;
+  }
+}
+export {
+  POST
+};

package/dist/api-routes/setup-github-app-bounce.d.ts

@@ -0,0 +1,13 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Server-side manifest bounce for the GitHub App Manifest flow.
+ *
+ * GET /api/setzkasten/setup/github-app/bounce?name=my-app
+ *
+ * Generates the GitHub App manifest JSON using the server-known origin,
+ * then returns a minimal HTML page that auto-submits a form to GitHub.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/setup-github-app-bounce.js

@@ -0,0 +1,45 @@
+import {
+  getPublicOrigin
+} from "../chunk-5ZFTG4BW.js";
+
+// src/api-routes/setup-github-app-bounce.ts
+var GET = async ({ url, request }) => {
+  const name = url.searchParams.get("name")?.trim() || "Setzkasten CMS";
+  const origin = getPublicOrigin(request);
+  const manifest = JSON.stringify({
+    name,
+    url: origin,
+    redirect_url: `${origin}/api/setzkasten/setup/github-app/callback`,
+    setup_url: `${origin}/api/setzkasten/setup/github-app/installed`,
+    setup_on_update: false,
+    public: false,
+    default_permissions: { contents: "write" }
+  });
+  const safeManifest = manifest.replace(/&/g, "&").replace(/"/g, """);
+  const html = `<!DOCTYPE html>
+<html lang="de">
+<head>
+  <meta charset="UTF-8">
+  <title>Weiterleitung zu GitHub\u2026</title>
+  <style>
+    body { font-family: sans-serif; display: flex; align-items: center;
+           justify-content: center; height: 100vh; margin: 0;
+           background: #0d1117; color: #e6edf3; }
+    p { opacity: .6; }
+  </style>
+</head>
+<body>
+  <p>Weiterleitung zu GitHub\u2026</p>
+  <form id="f" method="POST" action="https://github.com/settings/apps/new">
+    <input type="hidden" name="manifest" value="${safeManifest}">
+  </form>
+  <script>document.getElementById('f').submit()</script>
+</body>
+</html>`;
+  return new Response(html, {
+    headers: { "Content-Type": "text/html; charset=utf-8" }
+  });
+};
+export {
+  GET
+};

package/dist/api-routes/setup-github-app-branches.d.ts

@@ -0,0 +1,14 @@
+import { APIRoute } from 'astro';
+
+/**
+ * GET /api/setzkasten/setup/github-app/branches?installation=<id>&repo=<owner/repo>
+ *
+ * Returns the list of branches for one repo, fetched via the installation
+ * token of the given installation. Used by the WebsitesView form so the
+ * Branch field becomes a dropdown after the user picks a repo.
+ *
+ * Admin-only — same reasoning as /setup/github-app/repos.
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/setup-github-app-branches.js

@@ -0,0 +1,58 @@
+import {
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+
+// src/api-routes/setup-github-app-branches.ts
+import { listRepoBranches } from "@setzkasten-cms/github-adapter";
+var GET = async ({ cookies, url }) => {
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
+  const appId = process.env.GITHUB_APP_ID;
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY;
+  if (!appId || !privateKey) {
+    return new Response(
+      JSON.stringify({
+        error: "GitHub App not configured. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY."
+      }),
+      { status: 400, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  const installationId = url.searchParams.get("installation");
+  const repoFull = url.searchParams.get("repo");
+  if (!installationId || !repoFull) {
+    return new Response(
+      JSON.stringify({ error: "Both ?installation and ?repo (owner/name) are required." }),
+      { status: 400, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  const slash = repoFull.indexOf("/");
+  if (slash <= 0 || slash === repoFull.length - 1) {
+    return new Response(
+      JSON.stringify({ error: '?repo must be in "owner/name" format.' }),
+      { status: 400, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  const owner = repoFull.slice(0, slash);
+  const repo = repoFull.slice(slash + 1);
+  const result = await listRepoBranches({ appId, privateKey }, installationId, owner, repo);
+  if (!result.ok) {
+    const status = result.error.type === "auth" ? 401 : result.error.type === "not-found" ? 404 : 502;
+    return new Response(JSON.stringify({ error: result.error.message }), {
+      status,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return new Response(JSON.stringify({ branches: result.value }), {
+    status: 200,
+    headers: { "Content-Type": "application/json" }
+  });
+};
+export {
+  GET
+};

package/dist/api-routes/setup-github-app-callback.d.ts

@@ -0,0 +1,15 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Receives the code from GitHub after a GitHub App Manifest creation.
+ * Exchanges it for the full app credentials (App ID, private key, slug).
+ *
+ * GET /api/setzkasten/setup/github-app/callback?code=xxx
+ *
+ * Note: uses mutable new Response() instead of Response.redirect() —
+ * Response.redirect() is immutable and prevents Astro from appending
+ * the Set-Cookie header (TypeError: immutable).
+ */
+declare const GET: APIRoute;
+
+export { GET };

package/dist/api-routes/setup-github-app-callback.js

@@ -0,0 +1,45 @@
+import {
+  getPublicOrigin
+} from "../chunk-5ZFTG4BW.js";
+
+// src/api-routes/setup-github-app-callback.ts
+var COOKIE_NAME = "sk_app_setup";
+var COOKIE_MAX_AGE = 600;
+var GET = async ({ url, request, cookies }) => {
+  const config = globalThis.__SETZKASTEN_CONFIG__;
+  const adminPath = config?.adminPath ?? "/admin";
+  const adminUrl = new URL(adminPath, getPublicOrigin(request));
+  const code = url.searchParams.get("code");
+  if (!code) {
+    adminUrl.searchParams.set("github-app-error", "missing_code");
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } });
+  }
+  let data = null;
+  try {
+    const response = await fetch(`https://api.github.com/app-manifests/${code}/conversions`, {
+      method: "POST",
+      headers: { Accept: "application/vnd.github.v3+json" },
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (!response.ok) throw new Error(`GitHub returned ${response.status}`);
+    data = await response.json();
+  } catch {
+    adminUrl.searchParams.set("github-app-error", "exchange_failed");
+    return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } });
+  }
+  cookies.set(
+    COOKIE_NAME,
+    JSON.stringify({
+      appId: String(data.id),
+      slug: data.slug,
+      privateKey: data.pem,
+      clientId: data.client_id,
+      clientSecret: data.client_secret
+    }),
+    { httpOnly: false, sameSite: "lax", maxAge: COOKIE_MAX_AGE, path: "/" }
+  );
+  return new Response(null, { status: 302, headers: { Location: adminUrl.toString() } });
+};
+export {
+  GET
+};

package/dist/api-routes/setup-github-app-installed.d.ts

@@ -0,0 +1,15 @@
+import { APIRoute } from 'astro';
+
+/**
+ * Receives the installation_id from GitHub after the user installs the App.
+ * Merges it into the existing setup cookie and redirects back to the admin.
+ *
+ * GET /api/setzkasten/setup/github-app/installed?installation_id=xxx
+ *
+ * Note: uses mutable new Response() instead of Response.redirect() —
+ * Response.redirect() is immutable and prevents Astro from appending
+ * the Set-Cookie header (TypeError: immutable).
+ */
+declare const GET: APIRoute;
+
+export { GET };