@setzkasten-cms/astro-admin 1.4.2 → 1.5.0

package/src/api-routes/history.ts

@@ -1,9 +1,9 @@
+import { type CommitInfo, parseCoAuthorTrailers } from '@setzkasten-cms/core'
 import type { APIRoute } from 'astro'
-import { resolveStorageConfigForRequest } from './_storage-config'
-import { resolveGitHubTokenForRequest } from './_github-token'
 import { requireAdmin } from './_auth-guard'
-import { parseCoAuthorTrailers, type CommitInfo } from '@setzkasten-cms/core'
 import { cachedFetch } from './_github-cache'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
 
 /**
  * GET /api/setzkasten/history?path=<contentPath>&before=<sha>

package/src/api-routes/icons-local.ts

@@ -1,11 +1,11 @@
-import type { APIRoute } from 'astro'
 import {
   LOCAL_ICONS_DISCOVERY_PATHS,
   resolveLocalIconsPaths,
   sanitizeSvg,
 } from '@setzkasten-cms/core'
-import { resolveStorageConfigForRequest, prefixPath } from './_storage-config'
+import type { APIRoute } from 'astro'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 
 /**
  * GET /api/setzkasten/icons/local

package/src/api-routes/init-add-section.ts

@@ -1,11 +1,18 @@
-import type { APIRoute } from 'astro'
+import { isSafeKey } from '@setzkasten-cms/core'
 import type { InferredSection } from '@setzkasten-cms/core/init'
 import { addSectionToConfig } from '@setzkasten-cms/core/init'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
-import { patchTemplateForFields, stripTemplateFallbacks } from '../init/template-patcher-v2'
+import type { APIRoute } from 'astro'
 import type { RepeatedGroup } from '../init/analyzer-types'
+import {
+  detectChildImports,
+  patchChildComponentForFieldPrefix,
+  patchTemplateForFields,
+  stripTemplateFallbacks,
+} from '../init/template-patcher-v2'
+import { requireAdmin } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 
 /**
  * POST /api/setzkasten/init/add-section
@@ -17,10 +24,8 @@ import { resolveGitHubTokenForRequest } from './_github-token'
  * Body: { owner, repo, branch?, projectRoot, section, pageKey, contentPath? }
  */
 export const POST: APIRoute = async ({ request, cookies }) => {
-  const session = cookies.get('setzkasten_session')?.value
-  if (!session) {
-    return new Response('Unauthorized', { status: 401 })
-  }
+  const denied = requireAdmin(cookies.get('setzkasten_session')?.value)
+  if (denied) return denied
 
   const tokenResult = await resolveGitHubTokenForRequest(request)
   if (!tokenResult.ok) {
@@ -29,7 +34,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       owner?: string
       repo?: string
       branch?: string
@@ -42,7 +47,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const storage = await resolveStorageConfigForRequest(request, body)
     if (!storage) {
-      return Response.json({ error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.' }, { status: 400 })
+      return Response.json(
+        {
+          error: 'Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars.',
+        },
+        { status: 400 },
+      )
     }
     const { owner, repo, branch, projectPrefix } = storage
     const serverConfig = (globalThis as any).__SETZKASTEN_CONFIG__
@@ -52,6 +62,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     if (!section || !pageKey) {
       return Response.json({ error: 'section and pageKey are required' }, { status: 400 })
     }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: 'invalid pageKey' }, { status: 400 })
+    }
+    if (!isSafeKey(section.key)) {
+      return Response.json({ error: 'invalid section key' }, { status: 400 })
+    }
 
     const headers = {
       Authorization: `Bearer ${githubToken}`,
@@ -67,7 +83,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const existingConfig = await fetchFileContent(owner, repo, branch, configPath, githubToken)
 
     if (existingConfig) {
-      const updatedConfig = addSectionToConfig(existingConfig, section.key, section, section.allFields)
+      const updatedConfig = addSectionToConfig(
+        existingConfig,
+        section.key,
+        section,
+        section.allFields,
+      )
       if (updatedConfig) {
         filesToCommit.push({ path: configPath, content: updatedConfig })
       }
@@ -75,13 +96,21 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     // 2. Generate content JSON — merge new fields into existing data (if any)
     const sectionJsonPath = `${contentPath}/_sections/${section.key}.json`
-    const existingSectionJson = await fetchFileContent(owner, repo, branch, sectionJsonPath, githubToken)
+    const existingSectionJson = await fetchFileContent(
+      owner,
+      repo,
+      branch,
+      sectionJsonPath,
+      githubToken,
+    )
 
     let sectionData: Record<string, unknown> = {}
     if (existingSectionJson) {
       try {
         sectionData = JSON.parse(existingSectionJson)
-      } catch { /* start fresh if invalid */ }
+      } catch {
+        /* start fresh if invalid */
+      }
     }
 
     // Only add values for fields that don't already exist
@@ -94,7 +123,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     }
 
     // Reorder JSON keys to match template order (allFields if available, else fields)
-    const orderedKeys = (section.allFields ?? section.fields).map(f => f.key)
+    const orderedKeys = (section.allFields ?? section.fields).map((f) => f.key)
     const orderedData: Record<string, unknown> = {}
     for (const key of orderedKeys) {
       if (key in sectionData) {
@@ -116,7 +145,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     // 3. Update page config (add section to the end)
     const configKey = '_' + pageKey.replace(/\//g, '_')
     const pageConfigPath = `${contentPath}/pages/${configKey}.json`
-    const existingPageConfig = await fetchFileContent(owner, repo, branch, pageConfigPath, githubToken)
+    const existingPageConfig = await fetchFileContent(
+      owner,
+      repo,
+      branch,
+      pageConfigPath,
+      githubToken,
+    )
 
     let pageConfig: { sections: Array<{ key: string; enabled: boolean }> }
     if (existingPageConfig) {
@@ -154,9 +189,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         if (pageSource) resolvedPagePath = indexPath
       }
       if (pageSource) {
-        const repeatedGroups: RepeatedGroup[] = (section as any)._analyzerResult?.repeatedGroups ?? []
+        const repeatedGroups: RepeatedGroup[] =
+          (section as any)._analyzerResult?.repeatedGroups ?? []
         let patchedSource = await patchTemplateForFields(
-          pageSource, section.key, section.allFields ?? section.fields, repeatedGroups,
+          pageSource,
+          section.key,
+          section.allFields ?? section.fields,
+          repeatedGroups,
           { mode: 'page' },
         )
 
@@ -175,14 +214,19 @@ export const POST: APIRoute = async ({ request, cookies }) => {
             // analyzer's text-only defaultValue.
             const existingIsPlain = typeof existing === 'string' && !/<[a-z]/.test(existing)
             const newIsHtml = typeof value === 'string' && /<[a-z]/.test(value as string)
-            if (!(key in sectionData) || existing === '' || existing === null || (existingIsPlain && newIsHtml)) {
+            if (
+              !(key in sectionData) ||
+              existing === '' ||
+              existing === null ||
+              (existingIsPlain && newIsHtml)
+            ) {
               sectionData[key] = value
               jsonUpdated = true
             }
           }
           // Update the content JSON entry if we added values
           if (jsonUpdated) {
-            const jsonIdx = filesToCommit.findIndex(f => f.path === sectionJsonPath)
+            const jsonIdx = filesToCommit.findIndex((f) => f.path === sectionJsonPath)
             if (jsonIdx !== -1) {
               filesToCommit[jsonIdx]!.content = JSON.stringify(sectionData, null, 2)
             }
@@ -192,18 +236,16 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         if (patchedSource !== pageSource) {
           filesToCommit.push({ path: fullPagePath, content: patchedSource })
 
-          // Create an SSR clone under sk-preview/ so the live preview iframe works.
-          // The patched source already uses getSection() which is draft-aware.
-          // The clone lives one directory deeper (sk-preview/<page> vs <page>),
-          // so all relative imports need one extra "../" level.
-          // Use resolvedPagePath (not body.pagePath) to get correct clone depth for
-          // directory routes (docs/index.astro → sk-preview/docs/index.astro).
-          const previewCopySource = patchedSource
-            .replace(/\bexport\s+const\s+prerender\s*=\s*true\s*;?\s*\n?/, '')
-            .replace(/(from\s+')(\.\.\/)/g, '$1../$2')
-            .replace(/(from\s+")(\.\.\/)/g, '$1../$2')
+          // Create a thin SSR wrapper under sk-preview/ so the live preview iframe works.
+          // The wrapper imports the production page as a component — no content duplication.
+          // In SSR context (prerender=false), getSection() runs at request time (draft-aware).
+          // In static context (/impressum), the same component runs at build time.
           // resolvedPagePath: e.g. "src/pages/docs/index.astro" (for directory routes)
           const relativePage = resolvedPagePath.replace(/^src\/pages\//, '') // "docs/index.astro"
+          // Import depth: sk-preview/impressum.astro → '../impressum.astro'
+          //               sk-preview/docs/index.astro → '../../docs/index.astro'
+          const importDepth = '../'.repeat(relativePage.split('/').length)
+          const previewCopySource = `---\nexport const prerender = false;\nimport Page from '${importDepth}${relativePage}';\n---\n<Page />\n`
           const previewCopyPath = prefixPath(`src/pages/sk-preview/${relativePage}`, projectPrefix)
           filesToCommit.push({ path: previewCopyPath, content: previewCopySource })
         }
@@ -211,10 +253,12 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         // Update content JSON with any _classN fields from patcher
         const fields = section.allFields ?? section.fields
         for (const g of repeatedGroups) {
-          const topField = fields.find(f => f.key === g.fieldKey)
+          const topField = fields.find((f) => f.key === g.fieldKey)
           if (!topField || !Array.isArray(topField.defaultValue)) continue
-          sectionData[g.fieldKey] = (topField.defaultValue as unknown[]).filter(item => item != null)
-          const jsonIdx = filesToCommit.findIndex(f => f.path === sectionJsonPath)
+          sectionData[g.fieldKey] = (topField.defaultValue as unknown[]).filter(
+            (item) => item != null,
+          )
+          const jsonIdx = filesToCommit.findIndex((f) => f.path === sectionJsonPath)
           if (jsonIdx !== -1) {
             filesToCommit[jsonIdx]!.content = JSON.stringify(sectionData, null, 2)
           }
@@ -222,10 +266,22 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       }
       // No patchPageFile / SECTION_COMPONENTS for page-level sections
     } else if (section.componentPath) {
-      const componentSource = await fetchFileContent(owner, repo, branch, section.componentPath, githubToken)
+      const componentSource = await fetchFileContent(
+        owner,
+        repo,
+        branch,
+        section.componentPath,
+        githubToken,
+      )
       if (componentSource) {
-        const repeatedGroups: RepeatedGroup[] = (section as any)._analyzerResult?.repeatedGroups ?? []
-        const patchedSource = await patchTemplateForFields(componentSource, section.key, section.allFields ?? section.fields, repeatedGroups)
+        const repeatedGroups: RepeatedGroup[] =
+          (section as any)._analyzerResult?.repeatedGroups ?? []
+        const patchedSource = await patchTemplateForFields(
+          componentSource,
+          section.key,
+          section.allFields ?? section.fields,
+          repeatedGroups,
+        )
         if (patchedSource !== componentSource) {
           filesToCommit.push({ path: section.componentPath, content: patchedSource })
         }
@@ -235,19 +291,45 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         // Re-read the now-mutated fields and update the content JSON entry.
         const fields = section.allFields ?? section.fields
         for (const g of repeatedGroups) {
-          const topField = fields.find(f => f.key === g.fieldKey)
+          const topField = fields.find((f) => f.key === g.fieldKey)
           if (!topField || !Array.isArray(topField.defaultValue)) continue
-          const items = (topField.defaultValue as Array<Record<string, unknown>>).filter(item => item != null)
+          const items = (topField.defaultValue as Array<Record<string, unknown>>).filter(
+            (item) => item != null,
+          )
 
           // Update sectionData with the enriched items array
           sectionData[g.fieldKey] = items
 
           // Rebuild and replace the content JSON in filesToCommit
-          const jsonIdx = filesToCommit.findIndex(f => f.path === sectionJsonPath)
+          const jsonIdx = filesToCommit.findIndex((f) => f.path === sectionJsonPath)
           if (jsonIdx !== -1) {
             filesToCommit[jsonIdx]!.content = JSON.stringify(sectionData, null, 2)
           }
         }
+
+        // 4b. Patch child components (e.g. PricingCard) used by repeated-component groups.
+        // detectChildImports finds any import whose component name matches a field's
+        // options.sourceComponent, then patchChildComponentForFieldPrefix injects
+        // fieldPrefix prop + data-sk-field bindings into that component file.
+        const allFields = section.allFields ?? section.fields
+        const childPatches = detectChildImports(patchedSource, allFields as any)
+        for (const child of childPatches) {
+          const sectionDir = section.componentPath.replace(/\/[^/]+$/, '')
+          const resolvedChildPath = resolveRelativePath(sectionDir, child.importPath)
+          if (!resolvedChildPath) continue
+          const childSource = await fetchFileContent(
+            owner,
+            repo,
+            branch,
+            resolvedChildPath,
+            githubToken,
+          )
+          if (!childSource) continue
+          const patchedChild = patchChildComponentForFieldPrefix(childSource, child.innerFields)
+          if (patchedChild !== childSource) {
+            filesToCommit.push({ path: resolvedChildPath, content: patchedChild })
+          }
+        }
       }
 
       // 5. Patch page file — add import and registry entry for new section
@@ -255,7 +337,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         const fullPagePath = prefixPath(body.pagePath, projectPrefix)
         const pageSource = await fetchFileContent(owner, repo, branch, fullPagePath, githubToken)
         if (pageSource) {
-          const patched = patchPageFile(pageSource, section.key, section.componentName, section.componentPath, body.pagePath)
+          const patched = patchPageFile(
+            pageSource,
+            section.key,
+            section.componentName,
+            section.componentPath,
+            body.pagePath,
+          )
           if (patched && patched !== pageSource) {
             filesToCommit.push({ path: fullPagePath, content: patched })
           }
@@ -266,7 +354,13 @@ export const POST: APIRoute = async ({ request, cookies }) => {
         const previewPath = prefixPath(`${pageDir}/sk-preview/[...page].astro`, projectPrefix)
         const previewSource = await fetchFileContent(owner, repo, branch, previewPath, githubToken)
         if (previewSource) {
-          const patchedPreview = patchPageFile(previewSource, section.key, section.componentName, section.componentPath, `${pageDir}/sk-preview/[...page].astro`)
+          const patchedPreview = patchPageFile(
+            previewSource,
+            section.key,
+            section.componentName,
+            section.componentPath,
+            `${pageDir}/sk-preview/[...page].astro`,
+          )
           if (patchedPreview && patchedPreview !== previewSource) {
             filesToCommit.push({ path: previewPath, content: patchedPreview })
           }
@@ -284,9 +378,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       repo,
       branch,
       filesToCommit,
-      withTrailers(existingSectionJson
-        ? `content: update ${section.key} section — add new fields`
-        : `content: add ${section.key} section to Setzkasten`),
+      withTrailers(
+        existingSectionJson
+          ? `content: update ${section.key} section — add new fields`
+          : `content: add ${section.key} section to Setzkasten`,
+      ),
       headers,
     )
 
@@ -316,15 +412,24 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
 function getDefaultValue(fieldType: string): unknown {
   switch (fieldType) {
-    case 'text': return ''
-    case 'number': return 0
-    case 'boolean': return false
-    case 'image': return { path: '', alt: '' }
-    case 'array': return []
-    case 'color': return '#000000'
-    case 'date': return ''
-    case 'icon': return ''
-    default: return ''
+    case 'text':
+      return ''
+    case 'number':
+      return 0
+    case 'boolean':
+      return false
+    case 'image':
+      return { path: '', alt: '' }
+    case 'array':
+      return []
+    case 'color':
+      return '#000000'
+    case 'date':
+      return ''
+    case 'icon':
+      return ''
+    default:
+      return ''
   }
 }
 
@@ -380,8 +485,12 @@ export function patchPageFile(
       // Find the last entry and add after it
       const lastEntryMatch = registryContent.match(/.*\w+Section,?\s*$/m)
       if (lastEntryMatch && lastEntryMatch.index !== undefined) {
-        const insertPos = registryMatch.index! + registryMatch[0].indexOf(registryContent) + lastEntryMatch.index + lastEntryMatch[0].length
-        const newEntry = `\n  [normalize('${sectionKey}')]: ${componentName},`
+        const insertPos =
+          registryMatch.index! +
+          registryMatch[0].indexOf(registryContent) +
+          lastEntryMatch.index +
+          lastEntryMatch[0].length
+        const newEntry = `\n  '${sectionKey}': ${componentName},`
         patched = patched.slice(0, insertPos) + newEntry + patched.slice(insertPos)
       }
     }
@@ -403,7 +512,11 @@ export function calculateRelativePath(fromDir: string, toPath: string): string {
 
   // Find common prefix length
   let common = 0
-  while (common < fromParts.length && common < toParts.length && fromParts[common] === toParts[common]) {
+  while (
+    common < fromParts.length &&
+    common < toParts.length &&
+    fromParts[common] === toParts[common]
+  ) {
     common++
   }
 
@@ -414,6 +527,28 @@ export function calculateRelativePath(fromDir: string, toPath: string): string {
   return '../'.repeat(ups) + remaining
 }
 
+/**
+ * Resolve a relative import path against a base directory to get the repo-root-relative path.
+ * e.g. resolveRelativePath("src/components/sections", "../components/PricingCard.astro")
+ *      → "src/components/PricingCard.astro"
+ */
+function resolveRelativePath(baseDir: string, relativePath: string): string | null {
+  if (relativePath.startsWith('/')) return relativePath.replace(/^\//, '')
+  const parts = [...baseDir.split('/').filter(Boolean)]
+  for (const segment of relativePath.split('/')) {
+    if (segment === '.') continue
+    if (segment === '..') {
+      parts.pop()
+      continue
+    }
+    parts.push(segment)
+  }
+  const resolved = parts.join('/')
+  // Must stay within src/ or project root — reject anything that escapes
+  if (resolved.startsWith('../') || resolved.startsWith('/')) return null
+  return resolved
+}
+
 async function fetchFileContent(
   owner: string,
   repo: string,
@@ -433,7 +568,7 @@ async function fetchFileContent(
       },
     )
     if (!response.ok) return null
-    const data = await response.json() as { content: string; encoding: string }
+    const data = (await response.json()) as { content: string; encoding: string }
     return data.encoding === 'base64'
       ? Buffer.from(data.content, 'base64').toString('utf-8')
       : data.content
@@ -457,7 +592,7 @@ async function batchCommit(
       { headers },
     )
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` }
-    const refData = await refRes.json() as { object: { sha: string } }
+    const refData = (await refRes.json()) as { object: { sha: string } }
     const headSha = refData.object.sha
 
     // 2. Get base tree
@@ -466,43 +601,38 @@ async function batchCommit(
       { headers },
     )
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` }
-    const commitData = await commitRes.json() as { tree: { sha: string } }
+    const commitData = (await commitRes.json()) as { tree: { sha: string } }
 
     // 3. Create new tree
-    const treeRes = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/git/trees`,
-      {
-        method: 'POST',
-        headers,
-        body: JSON.stringify({
-          base_tree: commitData.tree.sha,
-          tree: files.map((f) => ({
-            path: f.path,
-            mode: '100644',
-            type: 'blob',
-            content: f.content,
-          })),
-        }),
-      },
-    )
+    const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        base_tree: commitData.tree.sha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: '100644',
+          type: 'blob',
+          content: f.content,
+        })),
+      }),
+    })
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` }
-    const treeData = await treeRes.json() as { sha: string }
+    const treeData = (await treeRes.json()) as { sha: string }
 
     // 4. Create commit
-    const newCommitRes = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/git/commits`,
-      {
-        method: 'POST',
-        headers,
-        body: JSON.stringify({
-          tree: treeData.sha,
-          parents: [headSha],
-          message,
-        }),
-      },
-    )
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
-    const newCommitData = await newCommitRes.json() as { sha: string }
+    const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        tree: treeData.sha,
+        parents: [headSha],
+        message,
+      }),
+    })
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
+    const newCommitData = (await newCommitRes.json()) as { sha: string }
 
     // 5. Update ref
     const updateRes = await fetch(