@setzkasten-cms/astro-admin 1.4.0 → 1.4.2

package/dist/api-routes/_auth-guard.d.ts

@@ -0,0 +1,47 @@
+import { AuthSession, SetzKastenConfig } from '@setzkasten-cms/core';
+
+declare function parseSession(raw: string | undefined): AuthSession | null;
+/**
+ * Returns 401 if the request has no valid session, 403 if the user is not
+ * an admin, or null (= allowed) otherwise. Used by every admin-only API
+ * endpoint so the role check is mechanically applied — never just
+ * `if (!session) return 401`, which lets editors hit admin-only routes.
+ */
+declare function requireAdmin(rawSession: string | undefined): Response | null;
+/**
+ * Returns a 403/503 Response if the session user may NOT edit the given page,
+ * or null (= allowed) otherwise.
+ *
+ * Authorization is two-layered:
+ *
+ *   1. Global editors (_editors.json in the config-repo) decide which pages
+ *      an editor account can touch at all. Admins always pass.
+ *
+ *   2. Per-website allowedEmails (in WebsiteEntry, multi-mode only) decide
+ *      which editors may operate on the website the request is targeting.
+ *      Without this layer, an editor could swap the X-SK-Website header
+ *      to any registered website id and inherit edit access transitively
+ *      from layer 1. Single-mode requests skip this layer because the
+ *      resolver returns no Result.ok for them.
+ *
+ * Fail-modes for layer 1:
+ *   - File absent (genuine 404)   → undefined → canEditPage allows
+ *     (semantic: "no restrictions configured")
+ *   - File present and parsed     → list → canEditPage applies it
+ *   - Fetch failed / parse failed → 503, deny access (was a silent grant
+ *     before review finding #1).
+ */
+declare function guardPageAccess(session: AuthSession | null, pageKey: string, fullConfig: SetzKastenConfig | undefined, request?: Request): Promise<Response | null>;
+/**
+ * Per-website authorization. Editors must be listed on
+ * `WebsiteEntry.allowedEmails` to operate on the website that the
+ * X-SK-Website header resolves to. Admins always pass; single-mode
+ * skips this check entirely (no website context).
+ *
+ * Returns 403 on deny, null on allow. Resolver failures are
+ * considered "no per-website restriction" — the global guard above
+ * already covers fail-closed for editors-file errors.
+ */
+declare function guardWebsiteAccess(session: AuthSession, request: Request): Promise<Response | null>;
+
+export { guardPageAccess, guardWebsiteAccess, parseSession, requireAdmin };

package/dist/api-routes/_auth-guard.js

@@ -0,0 +1,18 @@
+import {
+  guardPageAccess,
+  guardWebsiteAccess,
+  parseSession,
+  requireAdmin
+} from "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+export {
+  guardPageAccess,
+  guardWebsiteAccess,
+  parseSession,
+  requireAdmin
+};

package/dist/api-routes/_commit-trailers.d.ts

@@ -0,0 +1,8 @@
+declare const SETZKASTEN_CO_AUTHOR = "Co-authored-by: Setzkasten <setzkasten@setzkasten.dev>";
+/**
+ * Appends git commit trailers to a commit message.
+ * Always includes the Setzkasten co-author; optionally includes the editor.
+ */
+declare function withTrailers(message: string, editorEmail?: string | null): string;
+
+export { SETZKASTEN_CO_AUTHOR, withTrailers };

package/dist/api-routes/_commit-trailers.js

@@ -0,0 +1,8 @@
+import {
+  SETZKASTEN_CO_AUTHOR,
+  withTrailers
+} from "../chunk-KH22FJO5.js";
+export {
+  SETZKASTEN_CO_AUTHOR,
+  withTrailers
+};

package/dist/api-routes/_feature-gate.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Soft-fail feature-gate guard for API routes. Returns `null` when the
+ * feature is available at the current license tier; otherwise returns a
+ * 403 Response with a machine-readable JSON body.
+ *
+ * Usage:
+ *
+ *   const gate = gateFeature('editors')
+ *   if (gate) return gate
+ *   // ... normal route logic
+ *
+ * The body shape:
+ *
+ *   { error: string, code: 'feature-locked', feature: string, requiredTier: string }
+ *
+ * Routes use 403 (not 402) because UI clients robustly handle 403 Forbidden
+ * but often surface 402 Payment Required as a generic error. The `code`
+ * field lets the UI hook (`useFeatureGate`) distinguish locked features
+ * from real authorization failures.
+ */
+declare function gateFeature(feature: string): Response | null;
+
+export { gateFeature };

package/dist/api-routes/_feature-gate.js

@@ -0,0 +1,7 @@
+import {
+  gateFeature
+} from "../chunk-5PIMDP4N.js";
+import "../chunk-TJNJKPUL.js";
+export {
+  gateFeature
+};

package/dist/api-routes/_github-cache.d.ts

@@ -0,0 +1,4 @@
+declare function cachedFetch<T>(key: string, ttlMs: number, fetcher: () => Promise<T>): Promise<T>;
+declare function invalidateCache(key: string): void;
+
+export { cachedFetch, invalidateCache };

package/dist/api-routes/_github-cache.js

@@ -0,0 +1,8 @@
+import {
+  cachedFetch,
+  invalidateCache
+} from "../chunk-45ARVNT3.js";
+export {
+  cachedFetch,
+  invalidateCache
+};

package/dist/api-routes/_github-token.d.ts

@@ -0,0 +1,27 @@
+import { Result } from '@setzkasten-cms/core';
+
+/**
+ * Token for the **config repo** (in multi mode) or the **website repo**
+ * (in single mode). Reads the App credentials straight from ENV — no
+ * X-SK-Website routing involved. Used by config-management endpoints
+ * (`/websites/add`, `/websites/remove`) and any read of `_global_config.json`
+ * / `_editors.json` that lives next to the registry, not next to the
+ * editable content.
+ *
+ * In single mode this is the only relevant token; in multi mode it is
+ * the token for the config repo, while per-website operations use
+ * {@link resolveGitHubTokenForRequest}.
+ */
+declare function resolveConfigRepoToken(): Promise<Result<string>>;
+/**
+ * Token for the website resolved from the request's `X-SK-Website` header.
+ * In multi mode this picks the installation id of the active website;
+ * in single mode the resolver synthesises one website from build-time
+ * storage and returns the same token as {@link resolveConfigRepoToken}.
+ *
+ * The PEM private key always comes from `GITHUB_APP_PRIVATE_KEY` — one
+ * App, many installations.
+ */
+declare function resolveGitHubTokenForRequest(request: Request): Promise<Result<string>>;
+
+export { resolveConfigRepoToken, resolveGitHubTokenForRequest };

package/dist/api-routes/_github-token.js

@@ -0,0 +1,8 @@
+import {
+  resolveConfigRepoToken,
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+export {
+  resolveConfigRepoToken,
+  resolveGitHubTokenForRequest
+};

package/dist/api-routes/_license-tier.d.ts

@@ -0,0 +1,22 @@
+import { FeatureTier } from '@setzkasten-cms/core';
+
+/**
+ * Server-side license-tier lookup based on the configured license key.
+ *
+ * The prefix is the canonical signal:
+ *   SK-PRO-...  → 'pro'
+ *   SK-ENT-...  → 'enterprise'
+ *   anything else (or unset) → 'free'
+ *
+ * The updater backend does the real validation (revocation, expiry); this
+ * function is enough to enforce honest-user limits at the API boundary.
+ * A bad actor faking a prefix will get 200 here but be flagged on the next
+ * dashboard register call — and the limit gate is a deterrent, not a
+ * payment system.
+ *
+ * Reads `SETZKASTEN_LICENSE_KEY` from the env first; future versions may
+ * add a config-repo `_global_config.json` fallback.
+ */
+declare function resolveLicenseTier(): FeatureTier;
+
+export { resolveLicenseTier };

package/dist/api-routes/_license-tier.js

@@ -0,0 +1,6 @@
+import {
+  resolveLicenseTier
+} from "../chunk-TJNJKPUL.js";
+export {
+  resolveLicenseTier
+};

package/dist/api-routes/_pages-meta-store.d.ts

@@ -0,0 +1,32 @@
+import { Result, PagesMeta } from '@setzkasten-cms/core';
+
+/**
+ * Server-side read/write helpers for `_pages-meta.json`.
+ *
+ * - `readPagesMeta` returns the parsed registry plus its current SHA, or
+ *   an empty registry with `sha: null` when the file does not exist.
+ * - `recordPageEdit` updates a single page's `lastModified` timestamp and
+ *   commits back, retrying once on 409 (concurrent edit). Failures
+ *   propagate as network errors so callers can decide whether to log
+ *   silently or surface them.
+ */
+interface PagesMetaTarget {
+    readonly owner: string;
+    readonly repo: string;
+    readonly branch: string;
+    readonly contentPath: string;
+    readonly token: string;
+}
+interface PagesMetaSnapshot {
+    readonly meta: PagesMeta;
+    readonly sha: string | null;
+}
+declare function readPagesMeta(target: PagesMetaTarget): Promise<Result<PagesMetaSnapshot>>;
+/**
+ * Records that `pageKey` was just edited. Reads the meta, sets the
+ * timestamp, writes back. On a 409 conflict (someone else committed
+ * meanwhile) the function re-reads and retries up to MAX_RETRIES times.
+ */
+declare function recordPageEdit(target: PagesMetaTarget, pageKey: string, timestamp?: number): Promise<Result<void>>;
+
+export { type PagesMetaTarget, readPagesMeta, recordPageEdit };

package/dist/api-routes/_pages-meta-store.js

@@ -0,0 +1,9 @@
+import {
+  readPagesMeta,
+  recordPageEdit
+} from "../chunk-FXNOTESI.js";
+import "../chunk-KH22FJO5.js";
+export {
+  readPagesMeta,
+  recordPageEdit
+};

package/dist/api-routes/_role-resolver.d.ts

@@ -0,0 +1,15 @@
+import { AuthProviderKind, UserRole } from '@setzkasten-cms/core';
+
+/**
+ * Builds the role-resolver callback that auth-adapters call per OAuth
+ * callback. Reads the live `_editors.json` (case-insensitive lookup) and
+ * combines it with the configured `allowedEmails` env list. Callers pass
+ * the resolver into `createGitHubAuth` / `createGoogleAuth` /
+ * `verifyFirebaseJwt` so role assignment happens once, in one place.
+ *
+ * Returns `null` when the user is not allowed at all, otherwise the
+ * effective role.
+ */
+declare function makeRoleResolver(provider: AuthProviderKind, allowedEmails: readonly string[] | undefined): (email: string) => Promise<UserRole | null>;
+
+export { makeRoleResolver };

package/dist/api-routes/_role-resolver.js

@@ -0,0 +1,13 @@
+import {
+  makeRoleResolver
+} from "../chunk-ZQDGGWJP.js";
+import "../chunk-INIWFKQ3.js";
+import "../chunk-6UIKVKED.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
+import "../chunk-NKDATSPA.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
+export {
+  makeRoleResolver
+};

package/dist/api-routes/_session-cookie.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Centralised builder for the session-cookie attributes. Two routes set the
+ * cookie today (auth-callback for GitHub OAuth, auth-setzkasten-login for
+ * Firebase) — both must share the exact same domain/secure/path so the
+ * cookie can be read across the admin and (in standalone setups) the
+ * managed website on a sibling subdomain.
+ */
+interface SessionCookieOptions {
+    readonly httpOnly: true;
+    readonly secure: boolean;
+    readonly sameSite: 'lax';
+    readonly path: '/';
+    readonly maxAge: number;
+    readonly domain?: string;
+}
+declare function sessionCookieOptions(secure: boolean): SessionCookieOptions;
+
+export { type SessionCookieOptions, sessionCookieOptions };

package/dist/api-routes/_session-cookie.js

@@ -0,0 +1,6 @@
+import {
+  sessionCookieOptions
+} from "../chunk-JHY6XTLL.js";
+export {
+  sessionCookieOptions
+};

package/dist/api-routes/_storage-config.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Storage resolution helpers for admin API routes.
+ *
+ * Two entry points:
+ *
+ * - {@link resolveStorageConfigForRequest} (default for content routes) —
+ *   resolves the **active website** for a request. In single mode this
+ *   is always the integration's website; in multi mode it is the website
+ *   selected by the X-SK-Website header.
+ *
+ * - {@link resolveStorageConfig} (build-time only, used by auth-guard
+ *   for the editors file) — returns the integration's build-time storage
+ *   target. In single mode this is the website repo; in multi mode it
+ *   is the config repo (where `_editors.json` lives next to
+ *   `websites.json`).
+ *
+ * The lookup chain inside `resolveStorageConfig`:
+ * 1. Request body override (explicit `{ owner, repo, branch }` payload)
+ * 2. `__SETZKASTEN_STORAGE__` Vite define (embedded at build time)
+ * 3. `globalThis.__SETZKASTEN_CONFIG__` (injectScript, SSR-only fallback)
+ */
+interface StorageConfig {
+    owner: string;
+    repo: string;
+    branch: string;
+    /** Monorepo prefix to prepend to file paths, e.g. 'apps/website' */
+    projectPrefix: string;
+}
+/**
+ * Returns the integration's build-time storage target. Used by the
+ * auth-guard to read the editors file (which lives next to the build-
+ * time storage in both single and multi mode) and by tests that want
+ * to bypass the per-request resolver. Most content routes should use
+ * {@link resolveStorageConfigForRequest} instead.
+ */
+declare function resolveStorageConfig(body?: {
+    owner?: string;
+    repo?: string;
+    branch?: string;
+}): StorageConfig | null;
+/**
+ * Prefix a file path with the monorepo project prefix.
+ * e.g. prefixPath('src/pages/index.astro', 'apps/website') → 'apps/website/src/pages/index.astro'
+ */
+declare function prefixPath(filePath: string, projectPrefix: string): string;
+/**
+ * Standalone-aware variant: resolves storage from the active website
+ * (X-SK-Website header → WebsitesRegistry) before falling back to the
+ * single-repo build-time configuration.
+ *
+ * Body overrides still win over both — useful for routes that take an
+ * explicit `{ owner, repo, branch }` payload.
+ */
+declare function resolveStorageConfigForRequest(request: Request, body?: {
+    owner?: string;
+    repo?: string;
+    branch?: string;
+}): Promise<StorageConfig | null>;
+
+export { type StorageConfig, prefixPath, resolveStorageConfig, resolveStorageConfigForRequest };

package/dist/api-routes/_storage-config.js

@@ -0,0 +1,10 @@
+import {
+  prefixPath,
+  resolveStorageConfig,
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+export {
+  prefixPath,
+  resolveStorageConfig,
+  resolveStorageConfigForRequest
+};

package/dist/api-routes/_vercel-origin.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Derives the real public origin on Vercel (and any reverse-proxy setup).
+ *
+ * Problem: Inside a Vercel serverless function, both `request.url` and
+ * Astro's `url` context resolve to the internal function host
+ * (e.g. "https://localhost"), not the public hostname.
+ *
+ * Solution: Read the x-forwarded-host and x-forwarded-proto headers that
+ * Vercel's edge layer sets on every inbound request.
+ *
+ * Falls back gracefully to the `host` header and `https` for local dev
+ * or non-Vercel environments.
+ */
+declare function getPublicOrigin(request: Request): string;
+
+export { getPublicOrigin };

package/dist/api-routes/_vercel-origin.js

@@ -0,0 +1,6 @@
+import {
+  getPublicOrigin
+} from "../chunk-5ZFTG4BW.js";
+export {
+  getPublicOrigin
+};

package/dist/api-routes/_webhook-dispatcher.d.ts

@@ -0,0 +1,13 @@
+import { WebhookEvent, WebhookPayload } from '@setzkasten-cms/core';
+
+/**
+ * Fire all enabled webhooks subscribed to `event`. Best-effort —
+ * each request runs with a 5s timeout; failures are recorded in the
+ * in-memory status store but do not throw or block the caller.
+ *
+ * Caller-side: invoke as `void fireWebhooks(...)` to make the
+ * fire-and-forget intent explicit.
+ */
+declare function fireWebhooks(event: WebhookEvent, payload: Omit<WebhookPayload, 'event' | 'timestamp'>, request: Request): Promise<void>;
+
+export { fireWebhooks };

package/dist/api-routes/_webhook-dispatcher.js

@@ -0,0 +1,97 @@
+import {
+  signPayload
+} from "../chunk-737TIZRU.js";
+import {
+  recordWebhookFire
+} from "../chunk-W3QHY5GW.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import {
+  cachedFetch
+} from "../chunk-45ARVNT3.js";
+import {
+  resolveGitHubTokenForRequest
+} from "../chunk-NKDATSPA.js";
+
+// src/api-routes/_webhook-dispatcher.ts
+import {
+  parseWebhooksFile,
+  selectWebhooksForEvent
+} from "@setzkasten-cms/core";
+var WEBHOOKS_FILE = (contentPath) => `${contentPath}/_webhooks.json`;
+var DISPATCH_TIMEOUT_MS = 5e3;
+async function fireWebhooks(event, payload, request) {
+  try {
+    const webhooks = await loadWebhooksForRequest(request);
+    if (!webhooks || webhooks.length === 0) return;
+    const targets = selectWebhooksForEvent(webhooks, event);
+    if (targets.length === 0) return;
+    const fullPayload = {
+      event,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      ...payload
+    };
+    const body = JSON.stringify(fullPayload);
+    await Promise.all(targets.map((w) => fireOne(w, event, body)));
+  } catch (err) {
+    console.error("[setzkasten] webhook dispatch failed:", err);
+  }
+}
+async function fireOne(webhook, event, body) {
+  const headers = {
+    "Content-Type": "application/json",
+    "X-Setzkasten-Event": event,
+    "X-Setzkasten-Delivery": crypto.randomUUID()
+  };
+  if (webhook.secret) {
+    headers["X-Setzkasten-Signature"] = `sha256=${signPayload(body, webhook.secret)}`;
+  }
+  try {
+    const res = await fetch(webhook.url, {
+      method: "POST",
+      headers,
+      body,
+      signal: AbortSignal.timeout(DISPATCH_TIMEOUT_MS)
+    });
+    recordWebhookFire(webhook.id, res.status);
+  } catch (err) {
+    recordWebhookFire(webhook.id, "error");
+    console.warn(`[setzkasten] webhook "${webhook.id}" failed:`, err);
+  }
+}
+async function loadWebhooksForRequest(request) {
+  const tokenResult = await resolveGitHubTokenForRequest(request);
+  if (!tokenResult.ok) return null;
+  const storage = await resolveStorageConfigForRequest(request);
+  if (!storage) return null;
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const contentPath = serverConfig?.storage?.contentPath ?? "content";
+  const { owner, repo, branch } = storage;
+  const cacheKey = `webhooks:${owner}/${repo}:${branch}`;
+  return cachedFetch(cacheKey, 6e4, async () => {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/contents/${WEBHOOKS_FILE(contentPath)}?ref=${branch}`,
+      {
+        headers: {
+          Authorization: `Bearer ${tokenResult.value}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
+    );
+    if (res.status === 404) return [];
+    if (!res.ok) return null;
+    const data = await res.json();
+    const raw = data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;
+    const parsed = parseWebhooksFile(raw);
+    if (!parsed.ok) {
+      console.warn("[setzkasten] _webhooks.json parse error:", parsed.error.message);
+      return null;
+    }
+    return parsed.value.webhooks;
+  });
+}
+export {
+  fireWebhooks
+};

package/dist/api-routes/_webhook-signing.d.ts

@@ -0,0 +1,11 @@
+/**
+ * HMAC-SHA256 signature of the webhook payload body, hex-encoded.
+ * Receivers verify with the same secret and the **raw** request body —
+ * pattern is identical to GitHub webhooks.
+ *
+ * Lives in astro-admin (not core) because it imports node:crypto.
+ * core's "zero external deps" rule keeps it edge/browser-runnable.
+ */
+declare function signPayload(body: string, secret: string): string;
+
+export { signPayload };

package/dist/api-routes/_webhook-signing.js

@@ -0,0 +1,6 @@
+import {
+  signPayload
+} from "../chunk-737TIZRU.js";
+export {
+  signPayload
+};

package/dist/api-routes/_webhook-status-store.d.ts

@@ -0,0 +1,19 @@
+/**
+ * In-memory webhook status — last fired timestamp + last HTTP status per
+ * webhook id. Survives only the server process; cold-start losses are
+ * acceptable because this is a status display, not the source of truth.
+ *
+ * Persisting to `_webhooks.json` would create a commit-storm
+ * (every save → webhook fire → webhook commit → trigger save → …). The
+ * UI just refetches `/webhooks/status` after a test-fire or save.
+ */
+interface WebhookStatusEntry {
+    readonly lastFiredAt: string;
+    readonly lastStatus: number | 'error';
+}
+declare function recordWebhookFire(id: string, status: number | 'error'): void;
+declare function getWebhookStatus(): Record<string, WebhookStatusEntry>;
+/** Test-only — clears the in-memory map. */
+declare function _resetWebhookStatusForTests(): void;
+
+export { type WebhookStatusEntry, _resetWebhookStatusForTests, getWebhookStatus, recordWebhookFire };

package/dist/api-routes/_webhook-status-store.js

@@ -0,0 +1,10 @@
+import {
+  _resetWebhookStatusForTests,
+  getWebhookStatus,
+  recordWebhookFire
+} from "../chunk-W3QHY5GW.js";
+export {
+  _resetWebhookStatusForTests,
+  getWebhookStatus,
+  recordWebhookFire
+};

package/dist/api-routes/_website-resolver.d.ts

@@ -0,0 +1,49 @@
+import { WebsitesRegistryProvider, WebsiteEntry, Result } from '@setzkasten-cms/core';
+
+/**
+ * Per-request resolver for the active website.
+ *
+ * Standalone mode: looks up the entry matching the X-SK-Website request
+ * header in the websites registry (config-repo).
+ *
+ * Single-repo mode (backward compat): returns a synthesized WebsiteEntry
+ * built from the integration's build-time storage + GitHub-App ENV vars.
+ * The header is ignored.
+ */
+interface MultiState {
+    readonly mode: 'multi';
+    readonly registry: WebsitesRegistryProvider;
+}
+interface SingleRepoState {
+    readonly mode: 'single';
+    readonly synthesized: WebsiteEntry;
+}
+type ResolverState = MultiState | SingleRepoState | null;
+/** Test/admin hook: install or clear the resolver state. */
+declare function __resetWebsiteResolverForTests(next: ResolverState): void;
+/**
+ * Configure the resolver state explicitly. Currently only the test suite
+ * uses this — production wiring runs lazily through
+ * {@link bootstrapResolverFromGlobals} on the first request, since the
+ * Astro integration doesn't have an obvious "initialize once" hook
+ * (`astro:server:start` runs in dev only). The export stays available so
+ * a future integration-startup wire-up has a typed entry point.
+ */
+declare function configureWebsiteResolver(next: ResolverState): void;
+/**
+ * Lazy bootstrap from build-time globals. Reads `__SETZKASTEN_FULL_CONFIG__`
+ * and `__SETZKASTEN_STORAGE__` (set by the Astro integration via Vite
+ * define — literals only, NOT globalThis) to derive single-repo or
+ * standalone state. Idempotent — does nothing if the resolver is already
+ * configured.
+ */
+declare function bootstrapResolverFromGlobals(): void;
+declare function resolveCurrentWebsite(request: Request): Promise<Result<WebsiteEntry>>;
+/**
+ * Lists all websites known to the resolver.
+ * Standalone mode: defers to the registry. Single-repo mode: returns the
+ * synthesized entry as a one-element list.
+ */
+declare function listAllWebsites(): Promise<Result<readonly WebsiteEntry[]>>;
+
+export { __resetWebsiteResolverForTests, bootstrapResolverFromGlobals, configureWebsiteResolver, listAllWebsites, resolveCurrentWebsite };

package/dist/api-routes/_website-resolver.js

@@ -0,0 +1,14 @@
+import {
+  __resetWebsiteResolverForTests,
+  bootstrapResolverFromGlobals,
+  configureWebsiteResolver,
+  listAllWebsites,
+  resolveCurrentWebsite
+} from "../chunk-V6IMPVF3.js";
+export {
+  __resetWebsiteResolverForTests,
+  bootstrapResolverFromGlobals,
+  configureWebsiteResolver,
+  listAllWebsites,
+  resolveCurrentWebsite
+};

package/dist/api-routes/_websites-store.d.ts

@@ -0,0 +1,30 @@
+import { Result, WebsitesRegistry } from '@setzkasten-cms/core';
+
+/**
+ * Read/write the standalone admin's `websites.json` from the config repo.
+ * Pure HTTP — no caching here; the GitHub-side cache lives in
+ * GitHubWebsitesRegistry, which API routes invalidate explicitly after a
+ * successful write.
+ */
+
+interface ConfigRepoTarget {
+    readonly owner: string;
+    readonly repo: string;
+    readonly branch: string;
+    readonly path: string;
+    readonly token: string;
+}
+interface ReadResult {
+    readonly registry: WebsitesRegistry;
+    readonly sha: string | null;
+}
+declare function readWebsitesRegistryFromGitHub(target: ConfigRepoTarget): Promise<Result<ReadResult>>;
+declare function writeWebsitesRegistryToGitHub(target: ConfigRepoTarget, registry: WebsitesRegistry, previousSha: string | null, commitMessage: string): Promise<Result<void>>;
+/**
+ * Reads the standalone-admin storage config out of the build-time
+ * `__SETZKASTEN_FULL_CONFIG__` global. Returns null when the deployment
+ * is not in standalone mode (single-repo setups have no websites.json).
+ */
+declare function resolveConfigRepoTargetFromGlobals(token: string): ConfigRepoTarget | null;
+
+export { readWebsitesRegistryFromGitHub, resolveConfigRepoTargetFromGlobals, writeWebsitesRegistryToGitHub };