@setzkasten-cms/astro-admin 1.4.2 → 1.5.0

package/src/api-routes/__tests__/updater-register.test.ts

@@ -0,0 +1,230 @@
+/**
+ * @vitest-environment node
+ */
+
+import { type Result, type WebsiteEntry, err, ok, validationError } from '@setzkasten-cms/core'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { __resetWebsiteResolverForTests } from '../_website-resolver'
+
+const ENTRY_A: WebsiteEntry = {
+  id: 'site-a',
+  name: 'Site A',
+  repo: 'acme/site-a',
+  branch: 'main',
+  previewOrigin: 'https://a.example.com',
+  githubApp: { appId: '1', installationId: '101' },
+}
+
+const ENTRY_B: WebsiteEntry = {
+  id: 'site-b',
+  name: 'Site B',
+  repo: 'acme/site-b',
+  branch: 'develop',
+  previewOrigin: 'https://b.example.com',
+  githubApp: { appId: '1', installationId: '202' },
+}
+
+const SESSION = JSON.stringify({
+  user: {
+    id: 'u1',
+    email: 'admin@example.com',
+    role: 'admin',
+    provider: 'github',
+  },
+  expiresAt: Date.now() + 60 * 60 * 1000,
+})
+
+function makeCtx(body: unknown = undefined, sessionValue: string | null = SESSION) {
+  const init: RequestInit = { method: 'POST' }
+  if (body !== undefined) {
+    init.body = JSON.stringify(body)
+    init.headers = { 'content-type': 'application/json' }
+  }
+  const request = new Request('https://cms.example.com/api/setzkasten/updater/register', init)
+  return {
+    request,
+    cookies: {
+      get: vi.fn((name: string) =>
+        name === 'setzkasten_session' && sessionValue ? { value: sessionValue } : undefined,
+      ),
+    },
+  }
+}
+
+interface MockRegistry {
+  list: ReturnType<typeof vi.fn>
+  get: ReturnType<typeof vi.fn>
+}
+
+function makeRegistry(entries: readonly WebsiteEntry[]): MockRegistry {
+  return {
+    list: vi.fn(async (): Promise<Result<readonly WebsiteEntry[]>> => ok(entries)),
+    get: vi.fn(async (id: string): Promise<Result<WebsiteEntry | null>> => {
+      return ok(entries.find((e) => e.id === id) ?? null)
+    }),
+  }
+}
+
+function setBuildConfig(updaterUrl: string) {
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ = {
+    updaterUrl,
+    version: '1.2.3',
+    websiteUrl: 'https://cms.example.com',
+    storage: { owner: 'acme', repo: 'cms-config' },
+  }
+}
+
+beforeEach(() => {
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ = undefined
+  __resetWebsiteResolverForTests(null)
+})
+
+afterEach(() => {
+  vi.restoreAllMocks()
+  ;(globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ = undefined
+  __resetWebsiteResolverForTests(null)
+})
+
+describe('POST /api/setzkasten/updater/register – managedWebsites payload', () => {
+  it('sends the full list of website ids from the multi-mode registry', async () => {
+    setBuildConfig('https://updater.example.com')
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: makeRegistry([ENTRY_A, ENTRY_B]),
+    })
+
+    let captured: { managedWebsites?: string[] } | null = null
+    const fetchMock = vi.fn(async (_url: string, init?: RequestInit) => {
+      captured = JSON.parse(String(init?.body)) as { managedWebsites?: string[] }
+      return {
+        ok: true,
+        json: async () => ({ instanceId: 'abc', latestVersion: '1.2.3' }),
+      } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../updater-register')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx())
+
+    expect(res.status).toBe(200)
+    expect(captured).not.toBeNull()
+    expect(captured!.managedWebsites).toEqual(['site-a', 'site-b'])
+  })
+
+  it('sends the synthesized id in single-repo mode', async () => {
+    setBuildConfig('https://updater.example.com')
+    __resetWebsiteResolverForTests({
+      mode: 'single',
+      synthesized: {
+        id: 'default',
+        name: 'cms',
+        repo: 'acme/cms',
+        branch: 'main',
+        previewOrigin: 'https://cms.example.com',
+        githubApp: { appId: '1', installationId: '1' },
+      },
+    })
+
+    let captured: { managedWebsites?: string[] } | null = null
+    const fetchMock = vi.fn(async (_url: string, init?: RequestInit) => {
+      captured = JSON.parse(String(init?.body)) as { managedWebsites?: string[] }
+      return {
+        ok: true,
+        json: async () => ({ instanceId: 'abc', latestVersion: '1.2.3' }),
+      } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../updater-register')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx())
+
+    expect(res.status).toBe(200)
+    expect(captured!.managedWebsites).toEqual(['default'])
+  })
+
+  it('falls back to an empty array when the resolver is not configured', async () => {
+    setBuildConfig('https://updater.example.com')
+    // resolver intentionally left null — listAllWebsites() will return a validation error
+    __resetWebsiteResolverForTests(null)
+    // Block bootstrap from succeeding via globals.
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ = undefined
+    ;(globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ = undefined
+
+    let captured: { managedWebsites?: string[] } | null = null
+    const fetchMock = vi.fn(async (_url: string, init?: RequestInit) => {
+      captured = JSON.parse(String(init?.body)) as { managedWebsites?: string[] }
+      return {
+        ok: true,
+        json: async () => ({ instanceId: 'abc', latestVersion: '1.2.3' }),
+      } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../updater-register')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx())
+
+    expect(res.status).toBe(200)
+    expect(captured!.managedWebsites).toEqual([])
+  })
+
+  it('reflects newly added websites on the next register call', async () => {
+    setBuildConfig('https://updater.example.com')
+    const initial = [ENTRY_A]
+    const after = [ENTRY_A, ENTRY_B]
+
+    const captured: Array<{ managedWebsites?: string[] }> = []
+    const fetchMock = vi.fn(async (_url: string, init?: RequestInit) => {
+      captured.push(JSON.parse(String(init?.body)) as { managedWebsites?: string[] })
+      return {
+        ok: true,
+        json: async () => ({ instanceId: 'abc', latestVersion: '1.2.3' }),
+      } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    __resetWebsiteResolverForTests({ mode: 'multi', registry: makeRegistry(initial) })
+    const { POST } = await import('../updater-register')
+    await (POST as (ctx: unknown) => Promise<Response>)(makeCtx())
+
+    __resetWebsiteResolverForTests({ mode: 'multi', registry: makeRegistry(after) })
+    await (POST as (ctx: unknown) => Promise<Response>)(makeCtx())
+
+    expect(captured[0]!.managedWebsites).toEqual(['site-a'])
+    expect(captured[1]!.managedWebsites).toEqual(['site-a', 'site-b'])
+  })
+
+  it('returns 401 without a session', async () => {
+    setBuildConfig('https://updater.example.com')
+    const { POST } = await import('../updater-register')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx(undefined, null))
+
+    expect(res.status).toBe(401)
+  })
+
+  it('survives a registry list error: heartbeat still fires with an empty array', async () => {
+    setBuildConfig('https://updater.example.com')
+    __resetWebsiteResolverForTests({
+      mode: 'multi',
+      registry: {
+        list: vi.fn(async () => err(validationError(['x'], 'boom', 'registry unreachable'))),
+        get: vi.fn(),
+      } as unknown as MockRegistry,
+    })
+
+    let captured: { managedWebsites?: string[] } | null = null
+    const fetchMock = vi.fn(async (_url: string, init?: RequestInit) => {
+      captured = JSON.parse(String(init?.body)) as { managedWebsites?: string[] }
+      return {
+        ok: true,
+        json: async () => ({ instanceId: 'abc', latestVersion: '1.2.3' }),
+      } as Response
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { POST } = await import('../updater-register')
+    const res = await (POST as (ctx: unknown) => Promise<Response>)(makeCtx())
+
+    expect(res.status).toBe(200)
+    expect(captured!.managedWebsites).toEqual([])
+  })
+})

package/src/api-routes/__tests__/webhook-signing.test.ts

@@ -2,7 +2,7 @@
  * @vitest-environment node
  */
 
-import { describe, it, expect } from 'vitest'
+import { describe, expect, it } from 'vitest'
 import { signPayload } from '../_webhook-signing'
 
 describe('signPayload', () => {

package/src/api-routes/__tests__/webhooks.test.ts

@@ -4,21 +4,26 @@
 
 import { generateKeyPairSync } from 'node:crypto'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { makeTestSessionCookie } from './_session-test-helper'
 
 const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
 const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
 
-const ADMIN_SESSION = JSON.stringify({
+const ADMIN_SESSION = makeTestSessionCookie({
   user: { id: 'u1', email: 'admin@example.com', role: 'admin', provider: 'github' },
   expiresAt: Date.now() + 60 * 60 * 1000,
 })
 
-const EDITOR_SESSION = JSON.stringify({
+const EDITOR_SESSION = makeTestSessionCookie({
   user: { id: 'u2', email: 'editor@example.com', role: 'editor', provider: 'google' },
   expiresAt: Date.now() + 60 * 60 * 1000,
 })
 
-function makeCtx(method: 'GET' | 'PUT', body?: unknown, sessionValue: string | null = ADMIN_SESSION) {
+function makeCtx(
+  method: 'GET' | 'PUT',
+  body?: unknown,
+  sessionValue: string | null = ADMIN_SESSION,
+) {
   const url = new URL('https://cms.example.com/api/setzkasten/webhooks')
   const init: RequestInit = { method }
   if (body !== undefined) {
@@ -174,9 +179,7 @@ describe('PUT /api/setzkasten/webhooks', () => {
   it('returns 403 with feature-locked at free tier', async () => {
     vi.stubEnv('SETZKASTEN_LICENSE_KEY', '')
     const { PUT } = await import('../webhooks')
-    const res = await (PUT as (ctx: unknown) => Promise<Response>)(
-      makeCtx('PUT', { webhooks: [] }),
-    )
+    const res = await (PUT as (ctx: unknown) => Promise<Response>)(makeCtx('PUT', { webhooks: [] }))
     expect(res.status).toBe(403)
     const body = await res.json()
     expect(body.code).toBe('feature-locked')
@@ -195,7 +198,16 @@ describe('PUT /api/setzkasten/webhooks', () => {
     const { PUT } = await import('../webhooks')
     const res = await (PUT as (ctx: unknown) => Promise<Response>)(
       makeCtx('PUT', {
-        webhooks: [{ id: 'x', name: 'X', url: 'not-a-url', events: ['content.save'], enabled: true, createdAt: '2026-05-08T12:00:00Z' }],
+        webhooks: [
+          {
+            id: 'x',
+            name: 'X',
+            url: 'not-a-url',
+            events: ['content.save'],
+            enabled: true,
+            createdAt: '2026-05-08T12:00:00Z',
+          },
+        ],
       }),
     )
     expect(res.status).toBe(400)

package/src/api-routes/__tests__/websites-add.test.ts

@@ -5,6 +5,7 @@
 import { generateKeyPairSync } from 'node:crypto'
 import type { WebsiteEntry } from '@setzkasten-cms/core'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { makeTestSessionCookie } from './_session-test-helper'
 
 const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
 const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
@@ -33,7 +34,7 @@ const EXISTING_REGISTRY = {
 
 // Admin sessions only — websites-add is admin-gated. Tests that exercise
 // the unauthorized branch pass `null` to drop the cookie entirely.
-const ADMIN_SESSION = JSON.stringify({
+const ADMIN_SESSION = makeTestSessionCookie({
   user: {
     id: 'u1',
     email: 'admin@example.com',

package/src/api-routes/__tests__/websites-remove.test.ts

@@ -5,6 +5,7 @@
 import { generateKeyPairSync } from 'node:crypto'
 import type { WebsiteEntry } from '@setzkasten-cms/core'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { makeTestSessionCookie } from './_session-test-helper'
 
 const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
 const PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }) as string
@@ -31,7 +32,7 @@ const REGISTRY = {
 }
 
 // Admin sessions only — websites-remove is admin-gated.
-const ADMIN_SESSION = JSON.stringify({
+const ADMIN_SESSION = makeTestSessionCookie({
   user: {
     id: 'u1',
     email: 'admin@example.com',

package/src/api-routes/_auth-guard.ts

@@ -1,14 +1,28 @@
 import { canEditPage } from '@setzkasten-cms/auth'
 import type { AuthSession, ContentEditorConfig, SetzKastenConfig } from '@setzkasten-cms/core'
-import { resolveStorageConfig } from './_storage-config'
 import { resolveConfigRepoToken } from './_github-token'
+import { resolveSessionSecret } from './_session-secret'
+import { verifySessionCookie } from './_session-signing'
+import { resolveStorageConfig } from './_storage-config'
 import { readEditorsFileStatus } from './editors'
 
+/**
+ * Returns the verified session iff the cookie's HMAC signature matches
+ * the server secret AND `expiresAt` is in the future. Pre-C1 this used
+ * to do `JSON.parse` on whatever the client sent — any unauthenticated
+ * attacker could forge an admin session in 30 seconds.
+ *
+ * Single source of truth: every guard (`requireAdmin`, `guardPageAccess`)
+ * runs through this. No code path reads the cookie directly anymore.
+ */
 export function parseSession(raw: string | undefined): AuthSession | null {
   if (!raw) return null
   try {
-    return JSON.parse(raw) as AuthSession
+    const result = verifySessionCookie(raw, resolveSessionSecret())
+    return result.ok ? result.value : null
   } catch {
+    // resolveSessionSecret throws in production when misconfigured —
+    // fail closed so a missing secret can't be exploited as "no auth".
     return null
   }
 }
@@ -70,10 +84,9 @@ export async function guardPageAccess(
   // Layer 1: global editors file
   const editorsLookup = await resolveDynamicEditors()
   if (!editorsLookup.ok) {
-    return new Response(
-      `Forbidden: editor permissions unavailable (${editorsLookup.error})`,
-      { status: 503 },
-    )
+    return new Response(`Forbidden: editor permissions unavailable (${editorsLookup.error})`, {
+      status: 503,
+    })
   }
   if (!canEditPage(session, pageKey, editorsLookup.editors)) {
     return new Response('Forbidden: you do not have access to this page', { status: 403 })
@@ -97,9 +110,24 @@ export async function guardPageAccess(
  * X-SK-Website header resolves to. Admins always pass; single-mode
  * skips this check entirely (no website context).
  *
- * Returns 403 on deny, null on allow. Resolver failures are
- * considered "no per-website restriction" — the global guard above
- * already covers fail-closed for editors-file errors.
+ * Default-deny semantics (post-C5): in multi-mode, an editor with no
+ * explicit `allowedEmails` entry on the target website is denied.
+ *
+ *   Pre-fix: an editor on website A could send `X-SK-Website: B` and
+ *   inherit access transitively from the global editors file, because
+ *   "no allowedEmails on B" was treated as "no restriction". That made
+ *   the global file the only effective gate — an editor for project A
+ *   could mutate project B by spoofing one HTTP header.
+ *
+ *   Now: empty / missing `allowedEmails` means "no editors allowed on
+ *   this website" — only admins pass. Set `allowedEmails: [editor@…]`
+ *   explicitly to grant access. Existing single-website-per-editor
+ *   setups need to add the email to the website entry; the migration
+ *   note in `docs/migration-single-to-multi.md` documents this.
+ *
+ * Returns 403 on deny, null on allow. Resolver failures (no website
+ * context) are still treated as "no check applies" so single-mode
+ * routes work unchanged.
  */
 export async function guardWebsiteAccess(
   session: AuthSession,
@@ -112,14 +140,17 @@ export async function guardWebsiteAccess(
   if (!website.ok) return null
 
   const allowed = website.value.allowedEmails
-  if (!allowed || allowed.length === 0) return null
-
-  if (!allowed.includes(session.user.email)) {
+  if (!allowed || allowed.length === 0) {
     return new Response(
-      `Forbidden: not allowed on website "${website.value.id}"`,
+      `Forbidden: website "${website.value.id}" has no editor allow-list — ` +
+        `add the editor's email to allowedEmails or grant admin role`,
       { status: 403 },
     )
   }
+
+  if (!allowed.includes(session.user.email)) {
+    return new Response(`Forbidden: not allowed on website "${website.value.id}"`, { status: 403 })
+  }
   return null
 }
 
@@ -136,8 +167,9 @@ async function resolveDynamicEditors(): Promise<EditorsLookup> {
     return { ok: false, error: `token: ${tokenResult.error.message}` }
   }
 
-  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
-    .__SETZKASTEN_CONFIG__
+  const serverConfig = (
+    globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } }
+  ).__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
 
   const status = await readEditorsFileStatus(

package/src/api-routes/_commit-trailers.ts

@@ -7,9 +7,10 @@ export const SETZKASTEN_CO_AUTHOR = 'Co-authored-by: Setzkasten <setzkasten@setz
 export function withTrailers(message: string, editorEmail?: string | null): string {
   const trailers = [SETZKASTEN_CO_AUTHOR]
   if (editorEmail) {
-    const name = editorEmail.split('@')[0]!
+    const name = editorEmail
+      .split('@')[0]!
       .replace(/[._-]+/g, ' ')
-      .replace(/\b\w/g, c => c.toUpperCase())
+      .replace(/\b\w/g, (c) => c.toUpperCase())
     trailers.push(`Co-authored-by: ${name} <${editorEmail}>`)
   }
   return `${message}\n\n${trailers.join('\n')}`

package/src/api-routes/_dev-session-secret.ts

@@ -0,0 +1,79 @@
+import { randomBytes } from 'node:crypto'
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
+import { join } from 'node:path'
+
+/**
+ * Ensures a per-machine dev session secret exists and returns its value.
+ *
+ * Pre-fix: a hardcoded fallback string was used when no env var was set
+ * — anyone with the source could mint admin cookies against any
+ * deployment that forgot to set NODE_ENV=production. The string was
+ * literally checked into the repo.
+ *
+ * Now: on first start without `SETZKASTEN_SESSION_SECRET`, a 32-byte
+ * random secret is generated and persisted to `.setzkasten/dev-secret`
+ * (relative to cwd, gitignored). Subsequent starts read the same file.
+ *
+ *   - Per-machine, never shared across developers.
+ *   - File mode 0600 so other users on the box can't read it.
+ *   - Gitignored — the secret never leaves the developer's machine.
+ *   - Rotation is `rm -rf .setzkasten` followed by re-login.
+ *
+ * Production never reaches this code path: the resolver fails closed
+ * with a clear error when the env var is missing under NODE_ENV=production.
+ */
+
+const DEV_SECRET_DIR = '.setzkasten'
+const DEV_SECRET_FILE = 'dev-secret'
+
+let cachedSecret: string | null = null
+
+export function ensureDevSessionSecret(): string {
+  if (cachedSecret) return cachedSecret
+
+  const dir = join(process.cwd(), DEV_SECRET_DIR)
+  const file = join(dir, DEV_SECRET_FILE)
+
+  if (existsSync(file)) {
+    const content = readFileSync(file, 'utf-8').trim()
+    if (content.length >= 32) {
+      cachedSecret = content
+      return content
+    }
+    // Truncated / corrupted — regenerate below.
+  }
+
+  mkdirSync(dir, { recursive: true })
+  const fresh = randomBytes(32).toString('hex')
+
+  try {
+    writeFileSync(file, `${fresh}\n`, { flag: 'wx', mode: 0o600 })
+  } catch (cause) {
+    // Race with another worker that wrote first; re-read.
+    if ((cause as NodeJS.ErrnoException)?.code === 'EEXIST') {
+      const content = readFileSync(file, 'utf-8').trim()
+      if (content.length >= 32) {
+        cachedSecret = content
+        return content
+      }
+    }
+    throw cause
+  }
+
+  // eslint-disable-next-line no-console
+  console.warn(
+    `[setzkasten] Generated dev session secret at ${file} (mode 0600). ` +
+      'Set SETZKASTEN_SESSION_SECRET in production. Delete the file to rotate.',
+  )
+
+  cachedSecret = fresh
+  return fresh
+}
+
+/**
+ * Test-only escape hatch: lets a test helper set the secret without
+ * touching the filesystem. Production code never calls this.
+ */
+export function __setDevSessionSecretForTests(secret: string | null): void {
+  cachedSecret = secret
+}

package/src/api-routes/_github-token.ts

@@ -1,4 +1,4 @@
-import { err, authError, type Result } from '@setzkasten-cms/core'
+import { type Result, authError, err } from '@setzkasten-cms/core'
 import { GitHubAppClient } from '@setzkasten-cms/github-adapter'
 
 /**

package/src/api-routes/_pages-meta-store.ts

@@ -1,12 +1,12 @@
 import {
+  type PagesMeta,
+  type Result,
   emptyPagesMeta,
   err,
   networkError,
   ok,
   parsePagesMeta,
   setPageLastModified,
-  type PagesMeta,
-  type Result,
 } from '@setzkasten-cms/core'
 import { withTrailers } from './_commit-trailers'
 

package/src/api-routes/_role-resolver.ts

@@ -1,6 +1,6 @@
-import { resolveRoleForUser, type UserRole, type AuthProviderKind } from '@setzkasten-cms/core'
-import { resolveStorageConfig } from './_storage-config'
+import { type AuthProviderKind, type UserRole, resolveRoleForUser } from '@setzkasten-cms/core'
 import { resolveConfigRepoToken } from './_github-token'
+import { resolveStorageConfig } from './_storage-config'
 import { readEditorsFileStatus } from './editors'
 
 /**
@@ -42,9 +42,11 @@ async function loadEditorsForResolution() {
     throw new Error(`role-resolver: token unavailable (${tokenResult.error.message})`)
   }
 
-  const serverConfig = (globalThis as {
-    __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } }
-  }).__SETZKASTEN_CONFIG__
+  const serverConfig = (
+    globalThis as {
+      __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } }
+    }
+  ).__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
 
   const status = await readEditorsFileStatus(

package/src/api-routes/_session-secret.ts

@@ -0,0 +1,46 @@
+/**
+ * Resolves the HMAC secret used to sign session cookies.
+ *
+ * Priority:
+ *   1. `SETZKASTEN_SESSION_SECRET` env var (production requirement)
+ *   2. `__SETZKASTEN_BUILD_CONFIG__.sessionSecret` (build-time injection)
+ *   3. **Dev-only:** persistent per-machine random secret in
+ *      `.setzkasten/dev-secret` (gitignored). Generated on first run,
+ *      reused thereafter. Never the same string across machines, never
+ *      checked into the repo.
+ *
+ * Pre-C1 there was no signing at all. Pre-this-fix the dev fallback was
+ * a hardcoded string in source — anyone reading the code could mint
+ * admin cookies against any deployment that accidentally ran without
+ * NODE_ENV=production. The fallback is now random per-machine.
+ */
+
+import { ensureDevSessionSecret } from './_dev-session-secret'
+
+const MIN_SECRET_LENGTH = 32
+
+export function resolveSessionSecret(): string {
+  const fromEnv = process.env.SETZKASTEN_SESSION_SECRET
+  if (typeof fromEnv === 'string' && fromEnv.trim().length >= MIN_SECRET_LENGTH) {
+    return fromEnv.trim()
+  }
+
+  const fromBuild = (globalThis as Record<string, unknown>).__SETZKASTEN_BUILD_CONFIG__ as
+    | { sessionSecret?: string }
+    | undefined
+  if (
+    typeof fromBuild?.sessionSecret === 'string' &&
+    fromBuild.sessionSecret.trim().length >= MIN_SECRET_LENGTH
+  ) {
+    return fromBuild.sessionSecret.trim()
+  }
+
+  if (process.env.NODE_ENV === 'production') {
+    throw new Error(
+      'SETZKASTEN_SESSION_SECRET is missing or too short (need ≥32 chars). ' +
+        'Generate one with `openssl rand -hex 32` and set it as an env var.',
+    )
+  }
+
+  return ensureDevSessionSecret()
+}