@setzkasten-cms/astro-admin 1.4.2 → 1.5.0

package/src/api-routes/_session-signing.ts

@@ -0,0 +1,135 @@
+/**
+ * Signed session cookies.
+ *
+ * Pre-C1 the session cookie was `JSON.stringify(session)` — readable and
+ * forgeable. An unauthenticated attacker could craft any role for any
+ * email and walk in. This module replaces that with HMAC-SHA256 over a
+ * canonical JSON payload, and refuses cookies whose signature doesn't
+ * match a known secret.
+ *
+ * Wire format:
+ *
+ *     <base64url(JSON.stringify(payload))>.<base64url(HMAC-SHA256(payload))>
+ *
+ * Two segments separated by a literal `.`. Both segments are base64url
+ * (no padding). Anything that doesn't decode to that shape is rejected.
+ *
+ * The secret is supplied per-call so this module stays pure and keeps
+ * the secret-resolution policy (env var, cookie domain, fail-closed in
+ * prod) at the integration layer.
+ */
+
+import { createHmac, timingSafeEqual } from 'node:crypto'
+import type { AuthSession } from '@setzkasten-cms/core'
+
+const SEPARATOR = '.'
+
+function base64urlEncode(input: string | Buffer): string {
+  const buf = typeof input === 'string' ? Buffer.from(input, 'utf-8') : input
+  return buf.toString('base64url')
+}
+
+function base64urlDecode(input: string): Buffer | null {
+  if (!/^[A-Za-z0-9_-]+$/.test(input)) return null
+  try {
+    return Buffer.from(input, 'base64url')
+  } catch {
+    return null
+  }
+}
+
+function hmac(payload: string, secret: string): Buffer {
+  return createHmac('sha256', secret).update(payload).digest()
+}
+
+/**
+ * Produces the cookie value for a verified session. Throws on missing
+ * secret — the caller (always server-side) must have one resolved.
+ */
+export function signSession(session: AuthSession, secret: string): string {
+  if (typeof secret !== 'string' || secret.trim().length === 0) {
+    throw new Error('signSession: missing secret')
+  }
+  const json = JSON.stringify(session)
+  const payloadB64 = base64urlEncode(json)
+  const sigB64 = hmac(payloadB64, secret).toString('base64url')
+  return `${payloadB64}${SEPARATOR}${sigB64}`
+}
+
+export type VerifyResult =
+  | { readonly ok: true; readonly value: AuthSession }
+  | { readonly ok: false; readonly reason: VerifyFailureReason }
+
+export type VerifyFailureReason =
+  | 'malformed'
+  | 'bad-signature'
+  | 'invalid-payload'
+  | 'expired'
+  | 'missing-expiry'
+
+/**
+ * Returns the parsed session iff the signature matches AND the payload
+ * has a numeric `expiresAt` in the future. Rejects everything else.
+ *
+ * @param now Override timestamp for tests. Defaults to `Date.now()`.
+ */
+export function verifySessionCookie(
+  raw: string,
+  secret: string,
+  now: number = Date.now(),
+): VerifyResult {
+  if (typeof raw !== 'string' || raw.length === 0) {
+    return { ok: false, reason: 'malformed' }
+  }
+  if (typeof secret !== 'string' || secret.trim().length === 0) {
+    return { ok: false, reason: 'malformed' }
+  }
+
+  const segments = raw.split(SEPARATOR)
+  if (segments.length !== 2) return { ok: false, reason: 'malformed' }
+  const [payloadB64, sigB64] = segments
+  if (!payloadB64 || !sigB64) return { ok: false, reason: 'malformed' }
+
+  const expected = hmac(payloadB64, secret)
+  const actual = base64urlDecode(sigB64)
+  if (!actual) return { ok: false, reason: 'malformed' }
+
+  // Reject obvious length mismatches before timing-safe-compare so we
+  // don't have to special-case Buffer.alloc; but always do the actual
+  // comparison constant-time when lengths agree.
+  if (actual.length !== expected.length) return { ok: false, reason: 'bad-signature' }
+  if (!timingSafeEqual(actual, expected)) return { ok: false, reason: 'bad-signature' }
+
+  const payloadBuf = base64urlDecode(payloadB64)
+  if (!payloadBuf) return { ok: false, reason: 'malformed' }
+
+  let parsed: unknown
+  try {
+    parsed = JSON.parse(payloadBuf.toString('utf-8'))
+  } catch {
+    return { ok: false, reason: 'invalid-payload' }
+  }
+
+  if (!isAuthSessionShape(parsed)) {
+    return { ok: false, reason: 'invalid-payload' }
+  }
+
+  if (typeof parsed.expiresAt !== 'number' || !Number.isFinite(parsed.expiresAt)) {
+    return { ok: false, reason: 'missing-expiry' }
+  }
+  if (parsed.expiresAt <= now) {
+    return { ok: false, reason: 'expired' }
+  }
+
+  return { ok: true, value: parsed }
+}
+
+function isAuthSessionShape(value: unknown): value is AuthSession {
+  if (!value || typeof value !== 'object') return false
+  const v = value as Record<string, unknown>
+  if (!v.user || typeof v.user !== 'object') return false
+  const u = v.user as Record<string, unknown>
+  if (typeof u.email !== 'string' || u.email.length === 0) return false
+  if (u.role !== 'admin' && u.role !== 'editor') return false
+  return true
+}

package/src/api-routes/_vercel-origin.ts

@@ -12,11 +12,7 @@
  * or non-Vercel environments.
  */
 export function getPublicOrigin(request: Request): string {
-  const host =
-    request.headers.get('x-forwarded-host') ??
-    request.headers.get('host') ??
-    'localhost'
-  const proto =
-    request.headers.get('x-forwarded-proto')?.split(',')[0]?.trim() ?? 'https'
+  const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? 'localhost'
+  const proto = request.headers.get('x-forwarded-proto')?.split(',')[0]?.trim() ?? 'https'
   return `${proto}://${host}`
 }

package/src/api-routes/_webhook-dispatcher.ts

@@ -1,15 +1,15 @@
 import {
-  parseWebhooksFile,
-  selectWebhooksForEvent,
   type WebhookConfig,
   type WebhookEvent,
   type WebhookPayload,
+  parseWebhooksFile,
+  selectWebhooksForEvent,
 } from '@setzkasten-cms/core'
-import { resolveStorageConfigForRequest } from './_storage-config'
-import { resolveGitHubTokenForRequest } from './_github-token'
 import { cachedFetch } from './_github-cache'
-import { recordWebhookFire } from './_webhook-status-store'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
 import { signPayload } from './_webhook-signing'
+import { recordWebhookFire } from './_webhook-status-store'
 
 const WEBHOOKS_FILE = (contentPath: string) => `${contentPath}/_webhooks.json`
 const DISPATCH_TIMEOUT_MS = 5_000
@@ -48,11 +48,7 @@ export async function fireWebhooks(
   }
 }
 
-async function fireOne(
-  webhook: WebhookConfig,
-  event: WebhookEvent,
-  body: string,
-): Promise<void> {
+async function fireOne(webhook: WebhookConfig, event: WebhookEvent, body: string): Promise<void> {
   const headers: Record<string, string> = {
     'Content-Type': 'application/json',
     'X-Setzkasten-Event': event,
@@ -76,18 +72,18 @@ async function fireOne(
   }
 }
 
-async function loadWebhooksForRequest(
-  request: Request,
-): Promise<readonly WebhookConfig[] | null> {
+async function loadWebhooksForRequest(request: Request): Promise<readonly WebhookConfig[] | null> {
   const tokenResult = await resolveGitHubTokenForRequest(request)
   if (!tokenResult.ok) return null
 
   const storage = await resolveStorageConfigForRequest(request)
   if (!storage) return null
 
-  const serverConfig = (globalThis as {
-    __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } }
-  }).__SETZKASTEN_CONFIG__
+  const serverConfig = (
+    globalThis as {
+      __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } }
+    }
+  ).__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
   const { owner, repo, branch } = storage
 

package/src/api-routes/_website-resolver.ts

@@ -103,14 +103,10 @@ export function bootstrapResolverFromGlobals(): void {
 
   const fullConfig =
     (typeof __SETZKASTEN_FULL_CONFIG__ !== 'undefined' ? __SETZKASTEN_FULL_CONFIG__ : null) ??
-    ((globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as
-      | FullConfig
-      | undefined)
+    ((globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ as FullConfig | undefined)
   const buildStorage =
     (typeof __SETZKASTEN_STORAGE__ !== 'undefined' ? __SETZKASTEN_STORAGE__ : null) ??
-    ((globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ as
-      | BuildTimeStorage
-      | undefined)
+    ((globalThis as Record<string, unknown>).__SETZKASTEN_STORAGE__ as BuildTimeStorage | undefined)
 
   const storageKind = fullConfig?.storage?.kind
   if (isMultiKind(storageKind)) {
@@ -165,10 +161,7 @@ export function bootstrapResolverFromGlobals(): void {
   // PUBLIC_SITE_URL stays as an escape hatch for setups without `site:`.
   const websiteUrlLiteral =
     typeof __SETZKASTEN_WEBSITE_URL__ !== 'undefined' ? __SETZKASTEN_WEBSITE_URL__ : ''
-  const previewOrigin =
-    websiteUrlLiteral ||
-    process.env.PUBLIC_SITE_URL ||
-    'http://localhost:4321'
+  const previewOrigin = websiteUrlLiteral || process.env.PUBLIC_SITE_URL || 'http://localhost:4321'
 
   state = {
     mode: 'single',

package/src/api-routes/auth-callback.ts

@@ -1,7 +1,9 @@
-import type { APIRoute } from 'astro'
 import { createGitHubAuth } from '@setzkasten-cms/auth'
-import { sessionCookieOptions } from './_session-cookie.js'
+import type { APIRoute } from 'astro'
 import { makeRoleResolver } from './_role-resolver'
+import { sessionCookieOptions } from './_session-cookie.js'
+import { resolveSessionSecret } from './_session-secret.js'
+import { signSession } from './_session-signing'
 
 /**
  * GitHub OAuth callback handler.
@@ -38,10 +40,12 @@ export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
   const adminPath = config?.adminPath ?? '/admin'
 
   const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
-  const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
+  const protocol =
+    request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
   const redirectUri = `${protocol}://${host}/api/setzkasten/auth/callback`
 
-  const allowedEmailsRaw = import.meta.env.SETZKASTEN_ALLOWED_EMAILS ?? process.env.SETZKASTEN_ALLOWED_EMAILS ?? ''
+  const allowedEmailsRaw =
+    import.meta.env.SETZKASTEN_ALLOWED_EMAILS ?? process.env.SETZKASTEN_ALLOWED_EMAILS ?? ''
   const allowedEmails = allowedEmailsRaw
     ? allowedEmailsRaw.split(',').map((e: string) => e.trim())
     : undefined
@@ -64,7 +68,7 @@ export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
     const session = sessionResult.value
     cookies.set(
       'setzkasten_session',
-      JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+      signSession({ user: session.user, expiresAt: session.expiresAt }, resolveSessionSecret()),
       sessionCookieOptions(import.meta.env.PROD),
     )
 

package/src/api-routes/auth-login.ts

@@ -1,5 +1,5 @@
-import type { APIRoute } from 'astro'
 import { createGitHubAuth } from '@setzkasten-cms/auth'
+import type { APIRoute } from 'astro'
 
 /**
  * Login initiation – redirects the user to GitHub OAuth.
@@ -14,12 +14,14 @@ export const GET: APIRoute = async ({ request, url, cookies, redirect }) => {
 
   // On Vercel, url.origin may resolve to localhost. Use the Host header instead.
   const host = request.headers.get('x-forwarded-host') ?? request.headers.get('host') ?? url.host
-  const protocol = request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
+  const protocol =
+    request.headers.get('x-forwarded-proto') ?? (url.protocol === 'https:' ? 'https' : 'http')
   const origin = `${protocol}://${host}`
   const redirectUri = `${origin}/api/setzkasten/auth/callback`
 
   const ghClientId = import.meta.env.GITHUB_CLIENT_ID ?? process.env.GITHUB_CLIENT_ID ?? ''
-  const ghClientSecret = import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? ''
+  const ghClientSecret =
+    import.meta.env.GITHUB_CLIENT_SECRET ?? process.env.GITHUB_CLIENT_SECRET ?? ''
 
   if (!ghClientId || !ghClientSecret) {
     return new Response('GitHub OAuth not configured', { status: 500 })

package/src/api-routes/auth-logout.ts

@@ -5,9 +5,26 @@ import { sessionCookieOptions } from './_session-cookie.js'
  * Logout – clears the session cookie and redirects to home.
  * Mirrors the same `domain` attribute used when the cookie was set so the
  * browser actually deletes it on subdomains in standalone-admin setups.
+ *
+ * POST-only post-M4: a third-party site embedding `<img src=
+ * "https://your-cms/api/setzkasten/logout">` could log out admins
+ * mid-session under the GET form. The SPA's logout button does a POST
+ * (or a fetch) so this is purely a CSRF-grade tightening.
  */
-export const GET: APIRoute = async ({ cookies, redirect }) => {
+async function handleLogout({ cookies, redirect }: Parameters<APIRoute>[0]) {
   const opts = sessionCookieOptions(false)
   cookies.delete('setzkasten_session', { path: '/', domain: opts.domain })
   return redirect('/')
 }
+
+export const POST: APIRoute = handleLogout
+
+/**
+ * Backwards-compat: a few existing UI links still hit GET. We keep the
+ * handler but log a deprecation warning so the SPA can be migrated.
+ */
+export const GET: APIRoute = async (ctx) => {
+  // eslint-disable-next-line no-console
+  console.warn('[setzkasten] GET /api/setzkasten/logout is deprecated — use POST')
+  return handleLogout(ctx)
+}

package/src/api-routes/auth-session.ts

@@ -1,36 +1,28 @@
 import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
 
 /**
  * Session check – returns current user info or 401.
  * Used by the admin SPA to check if the user is logged in.
+ *
+ * Goes through `parseSession` so signature verification + expiry are
+ * enforced in exactly one place. Pre-C1 this route did its own
+ * `JSON.parse` — the only one that ever checked `expiresAt`, while
+ * `_auth-guard.parseSession` ignored it. Now both run through the
+ * same verifier.
  */
 export const GET: APIRoute = async ({ cookies }) => {
-  const session = cookies.get('setzkasten_session')?.value
+  const raw = cookies.get('setzkasten_session')?.value
+  const session = parseSession(raw)
   if (!session) {
+    if (raw) cookies.delete('setzkasten_session', { path: '/' })
     return new Response(JSON.stringify({ authenticated: false }), {
       status: 401,
       headers: { 'Content-Type': 'application/json' },
     })
   }
 
-  try {
-    const parsed = JSON.parse(session) as { user: unknown; expiresAt: number }
-
-    if (parsed.expiresAt < Date.now()) {
-      cookies.delete('setzkasten_session', { path: '/' })
-      return new Response(JSON.stringify({ authenticated: false, reason: 'expired' }), {
-        status: 401,
-        headers: { 'Content-Type': 'application/json' },
-      })
-    }
-
-    return new Response(JSON.stringify({ authenticated: true, user: parsed.user }), {
-      headers: { 'Content-Type': 'application/json' },
-    })
-  } catch {
-    return new Response(JSON.stringify({ authenticated: false }), {
-      status: 401,
-      headers: { 'Content-Type': 'application/json' },
-    })
-  }
+  return new Response(JSON.stringify({ authenticated: true, user: session.user }), {
+    headers: { 'Content-Type': 'application/json' },
+  })
 }

package/src/api-routes/auth-setzkasten-login.ts

@@ -1,12 +1,14 @@
-import type { APIRoute } from 'astro'
 import { verifyFirebaseJwt } from '@setzkasten-cms/auth'
-import { readEditorsFile } from './editors'
-import { readGlobalConfig } from './global-config'
-import { resolveStorageConfig } from './_storage-config'
+import type { APIRoute } from 'astro'
+import { gateFeature } from './_feature-gate'
 import { resolveConfigRepoToken } from './_github-token'
-import { sessionCookieOptions } from './_session-cookie.js'
 import { makeRoleResolver } from './_role-resolver'
-import { gateFeature } from './_feature-gate'
+import { sessionCookieOptions } from './_session-cookie.js'
+import { resolveSessionSecret } from './_session-secret.js'
+import { signSession } from './_session-signing'
+import { resolveStorageConfig } from './_storage-config'
+import { readEditorsFile } from './editors'
+import { readGlobalConfig } from './global-config'
 
 /**
  * POST /api/setzkasten/auth/setzkasten-login
@@ -40,8 +42,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     return new Response('Storage not configured', { status: 500 })
   }
   const { owner, repo, branch } = storage
-  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
-    .__SETZKASTEN_CONFIG__
+  const serverConfig = (
+    globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } }
+  ).__SETZKASTEN_CONFIG__
   const contentPath: string = serverConfig?.storage?.contentPath ?? 'content'
 
   const tokenResult = await resolveConfigRepoToken()
@@ -78,7 +81,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const session = result.value
   cookies.set(
     'setzkasten_session',
-    JSON.stringify({ user: session.user, expiresAt: session.expiresAt }),
+    signSession({ user: session.user, expiresAt: session.expiresAt }, resolveSessionSecret()),
     sessionCookieOptions(import.meta.env.PROD),
   )
 

package/src/api-routes/catalog-add.ts

@@ -1,11 +1,11 @@
-import type { APIRoute } from 'astro'
 import { registry } from '@setzkasten-cms/catalog'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
-import { validateCatalogAddBody, buildCatalogAddCommit } from './catalog-helpers'
-import { generateAddKey, addToPageConfig } from './section-management'
-import { parseSession, guardPageAccess } from './_auth-guard'
+import type { APIRoute } from 'astro'
+import { guardPageAccess, parseSession } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
+import { buildCatalogAddCommit, validateCatalogAddBody } from './catalog-helpers'
+import { addToPageConfig, generateAddKey } from './section-management'
 
 /**
  * POST /api/setzkasten/catalog/add
@@ -27,13 +27,16 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as Record<string, unknown>
+    const body = (await request.json()) as Record<string, unknown>
 
     let validated: ReturnType<typeof validateCatalogAddBody>
     try {
       validated = validateCatalogAddBody(body)
     } catch (e) {
-      return Response.json({ error: e instanceof Error ? e.message : 'Invalid request' }, { status: 400 })
+      return Response.json(
+        { error: e instanceof Error ? e.message : 'Invalid request' },
+        { status: 400 },
+      )
     }
 
     const { templateName, pageKey } = validated
@@ -44,9 +47,15 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
     const fullConfig = (globalThis as any).__SETZKASTEN_FULL_CONFIG__
-    const contentPath = (body.contentPath as string) || serverConfig?.storage?.contentPath || 'content'
+    const contentPath =
+      (body.contentPath as string) || serverConfig?.storage?.contentPath || 'content'
 
-    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    const denied = await guardPageAccess(
+      parseSession(cookies.get('setzkasten_session')?.value),
+      pageKey,
+      fullConfig,
+      request,
+    )
     if (denied) return denied
 
     const headers = {
@@ -69,7 +78,10 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     // 2. Determine section key
     const sectionKey = validated.sectionKey ?? generateAddKey(existingKeys, templateName)
     if (existingKeys.includes(sectionKey)) {
-      return Response.json({ error: `Key "${sectionKey}" already exists on this page` }, { status: 409 })
+      return Response.json(
+        { error: `Key "${sectionKey}" already exists on this page` },
+        { status: 409 },
+      )
     }
 
     // 3. Get template + default content
@@ -87,7 +99,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const updatedConfig = addToPageConfig(pageConfig, sectionKey, templateName)
 
     const commitResult = await batchCommit(
-      owner, repo, branch,
+      owner,
+      repo,
+      branch,
       [
         { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) },
         { path: sectionJsonPath, content: JSON.stringify(template.defaultContent, null, 2) },
@@ -111,50 +125,94 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
 }
 
-async function fetchFileContent(owner: string, repo: string, branch: string, path: string, token: string): Promise<string | null> {
+async function fetchFileContent(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  token: string,
+): Promise<string | null> {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    return data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
-  } catch { return null }
+    const data = (await res.json()) as { content: string; encoding: string }
+    return data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  } catch {
+    return null
+  }
 }
 
 async function batchCommit(
-  owner: string, repo: string, branch: string,
+  owner: string,
+  repo: string,
+  branch: string,
   files: Array<{ path: string; content: string }>,
   message: string,
   headers: Record<string, string>,
 ): Promise<{ ok: true; sha: string } | { ok: false; error: string }> {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers })
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers },
+    )
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` }
-    const { object: { sha: headSha } } = await refRes.json() as { object: { sha: string } }
+    const {
+      object: { sha: headSha },
+    } = (await refRes.json()) as { object: { sha: string } }
 
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers })
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers },
+    )
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` }
-    const { tree: { sha: baseSha } } = await commitRes.json() as { tree: { sha: string } }
+    const {
+      tree: { sha: baseSha },
+    } = (await commitRes.json()) as { tree: { sha: string } }
 
     const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
-      method: 'POST', headers,
-      body: JSON.stringify({ base_tree: baseSha, tree: files.map(f => ({ path: f.path, mode: '100644', type: 'blob', content: f.content })) }),
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        base_tree: baseSha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: '100644',
+          type: 'blob',
+          content: f.content,
+        })),
+      }),
     })
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` }
-    const { sha: treeSha } = await treeRes.json() as { sha: string }
+    const { sha: treeSha } = (await treeRes.json()) as { sha: string }
 
     const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
-      method: 'POST', headers,
+      method: 'POST',
+      headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message }),
     })
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
-    const { sha: newSha } = await newCommitRes.json() as { sha: string }
-
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: 'PATCH', headers, body: JSON.stringify({ sha: newSha }),
-    })
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
+    const { sha: newSha } = (await newCommitRes.json()) as { sha: string }
+
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: 'PATCH',
+        headers,
+        body: JSON.stringify({ sha: newSha }),
+      },
+    )
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` }
 
     return { ok: true, sha: newSha }