@setzkasten-cms/astro-admin 1.4.2 → 1.5.0

package/src/api-routes/pages.ts

@@ -1,8 +1,9 @@
 import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
+import { cachedFetch } from './_github-cache'
 import { resolveGitHubTokenForRequest } from './_github-token'
-import { readPagesMeta, type PagesMetaTarget } from './_pages-meta-store'
+import { type PagesMetaTarget, readPagesMeta } from './_pages-meta-store'
 import { resolveStorageConfigForRequest } from './_storage-config'
-import { cachedFetch } from './_github-cache'
 
 interface PageInfo {
   path: string
@@ -29,7 +30,9 @@ declare const __SETZKASTEN_PAGES__: PageInfo[] | undefined
  */
 export function resolvePages(): PageInfo[] {
   const buildPages = typeof __SETZKASTEN_PAGES__ !== 'undefined' ? __SETZKASTEN_PAGES__ : null
-  return buildPages ?? (globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ as PageInfo[] ?? []
+  return (
+    buildPages ?? ((globalThis as Record<string, unknown>).__SETZKASTEN_PAGES__ as PageInfo[]) ?? []
+  )
 }
 
 /**
@@ -47,11 +50,16 @@ export function resolvePages(): PageInfo[] {
  * would see the admin's own page list — typically a single "index"
  * stub — instead of its real pages.
  */
-export const GET: APIRoute = async ({ request }) => {
+export const GET: APIRoute = async ({ request, cookies }) => {
+  // Authenticated users only — pre-fix this was an unauthenticated
+  // reconnaissance endpoint that also minted an installation token to
+  // crawl `src/pages/` of any website the App could reach.
+  if (!parseSession(cookies.get('setzkasten_session')?.value)) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
   const isMulti = request.headers.get('x-sk-website') !== null
-  const pages = isMulti
-    ? await fetchPagesFromGitHub(request).catch(() => [])
-    : resolvePages()
+  const pages = isMulti ? await fetchPagesFromGitHub(request).catch(() => []) : resolvePages()
 
   const enriched = await enrichWithLastModified(pages, request).catch(() => pages)
 
@@ -116,10 +124,7 @@ async function fetchPagesFromGitHub(request: Request): Promise<PageInfo[]> {
   })
 }
 
-async function enrichWithLastModified(
-  pages: PageInfo[],
-  request: Request,
-): Promise<PageInfo[]> {
+async function enrichWithLastModified(pages: PageInfo[], request: Request): Promise<PageInfo[]> {
   if (pages.length === 0) return pages
 
   const storage = await resolveStorageConfigForRequest(request)

package/src/api-routes/section-add.ts

@@ -1,9 +1,10 @@
+import { isSafeKey } from '@setzkasten-cms/core'
 import type { APIRoute } from 'astro'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
-import { generateAddKey, addToPageConfig } from './section-management'
-import { parseSession, guardPageAccess } from './_auth-guard'
+import { guardPageAccess, parseSession } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { addToPageConfig, generateAddKey } from './section-management'
 
 /**
  * POST /api/setzkasten/sections/add
@@ -29,7 +30,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       pageKey: string
       sectionType: string
       sectionKey?: string
@@ -52,8 +53,25 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     if (!pageKey || !sectionType) {
       return Response.json({ error: 'pageKey and sectionType are required' }, { status: 400 })
     }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: 'invalid pageKey' }, { status: 400 })
+    }
+    if (!isSafeKey(sectionType)) {
+      return Response.json({ error: 'invalid sectionType' }, { status: 400 })
+    }
+    if (body.sectionKey !== undefined && !isSafeKey(body.sectionKey)) {
+      return Response.json({ error: 'invalid sectionKey' }, { status: 400 })
+    }
+    if (sourcePage !== undefined && !isSafeKey(sourcePage)) {
+      return Response.json({ error: 'invalid sourcePage' }, { status: 400 })
+    }
 
-    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    const denied = await guardPageAccess(
+      parseSession(cookies.get('setzkasten_session')?.value),
+      pageKey,
+      fullConfig,
+      request,
+    )
     if (denied) return denied
 
     const headers = {
@@ -76,7 +94,10 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     // 2. Determine key
     const newKey = body.sectionKey ?? generateAddKey(existingKeys, sectionType)
     if (existingKeys.includes(newKey)) {
-      return Response.json({ error: `Key "${newKey}" already exists on this page` }, { status: 409 })
+      return Response.json(
+        { error: `Key "${newKey}" already exists on this page` },
+        { status: 409 },
+      )
     }
 
     // 3. Determine initial content: sourcePage seed → schema defaults → empty
@@ -88,7 +109,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
       const sourceJsonPath = `${contentPath}/_sections/${sourceKey}.json`
       const sourceContent = await fetchFileContent(owner, repo, branch, sourceJsonPath, githubToken)
       if (sourceContent) {
-        try { defaultContent = JSON.parse(sourceContent) } catch { /* fallback to schema */ }
+        try {
+          defaultContent = JSON.parse(sourceContent)
+        } catch {
+          /* fallback to schema */
+        }
       }
     }
     if (Object.keys(defaultContent).length === 0) {
@@ -101,7 +126,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const sectionJsonPath = `${contentPath}/_sections/${newKey}.json`
 
     const commitResult = await batchCommit(
-      owner, repo, branch,
+      owner,
+      repo,
+      branch,
       [
         { path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) },
         { path: sectionJsonPath, content: JSON.stringify(defaultContent, null, 2) },
@@ -154,50 +181,94 @@ function buildDefaultContent(fields: Record<string, any>): Record<string, unknow
   return result
 }
 
-async function fetchFileContent(owner: string, repo: string, branch: string, path: string, token: string): Promise<string | null> {
+async function fetchFileContent(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  token: string,
+): Promise<string | null> {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    return data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
-  } catch { return null }
+    const data = (await res.json()) as { content: string; encoding: string }
+    return data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  } catch {
+    return null
+  }
 }
 
 async function batchCommit(
-  owner: string, repo: string, branch: string,
+  owner: string,
+  repo: string,
+  branch: string,
   files: Array<{ path: string; content: string }>,
   message: string,
   headers: Record<string, string>,
 ): Promise<{ ok: true; sha: string } | { ok: false; error: string }> {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers })
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers },
+    )
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` }
-    const { object: { sha: headSha } } = await refRes.json() as { object: { sha: string } }
+    const {
+      object: { sha: headSha },
+    } = (await refRes.json()) as { object: { sha: string } }
 
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers })
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers },
+    )
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` }
-    const { tree: { sha: baseSha } } = await commitRes.json() as { tree: { sha: string } }
+    const {
+      tree: { sha: baseSha },
+    } = (await commitRes.json()) as { tree: { sha: string } }
 
     const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
-      method: 'POST', headers,
-      body: JSON.stringify({ base_tree: baseSha, tree: files.map(f => ({ path: f.path, mode: '100644', type: 'blob', content: f.content })) }),
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        base_tree: baseSha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: '100644',
+          type: 'blob',
+          content: f.content,
+        })),
+      }),
     })
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` }
-    const { sha: treeSha } = await treeRes.json() as { sha: string }
+    const { sha: treeSha } = (await treeRes.json()) as { sha: string }
 
     const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
-      method: 'POST', headers,
+      method: 'POST',
+      headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message }),
     })
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
-    const { sha: newSha } = await newCommitRes.json() as { sha: string }
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
+    const { sha: newSha } = (await newCommitRes.json()) as { sha: string }
 
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: 'PATCH', headers, body: JSON.stringify({ sha: newSha }),
-    })
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: 'PATCH',
+        headers,
+        body: JSON.stringify({ sha: newSha }),
+      },
+    )
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` }
 
     return { ok: true, sha: newSha }

package/src/api-routes/section-commit-pending.ts

@@ -1,13 +1,13 @@
-import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
-import { resolveStorageConfigForRequest, prefixPath } from './_storage-config'
-import { parseSession, guardPageAccess } from './_auth-guard'
+import { isSafeKey, setPageLastModified } from '@setzkasten-cms/core'
+import type { APIRoute } from 'astro'
+import { convertToSetHtml } from '../init/template-patcher-v2'
+import { guardPageAccess, parseSession } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { resolveGitHubTokenForRequest } from './_github-token'
-import { convertToSetHtml } from '../init/template-patcher-v2'
 import { readPagesMeta } from './_pages-meta-store'
-import { setPageLastModified } from '@setzkasten-cms/core'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 
 /**
  * POST /api/setzkasten/sections/commit-pending
@@ -33,7 +33,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       pageKey: string
       pageConfig: Record<string, unknown>
       sections: Array<{ key: string; content: Record<string, unknown> }>
@@ -54,10 +54,33 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const { pageKey, pageConfig, sections, edits = [] } = body
 
     if (!pageKey || !pageConfig || !Array.isArray(sections)) {
-      return Response.json({ error: 'pageKey, pageConfig, and sections are required' }, { status: 400 })
+      return Response.json(
+        { error: 'pageKey, pageConfig, and sections are required' },
+        { status: 400 },
+      )
+    }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: 'invalid pageKey' }, { status: 400 })
+    }
+    // Every section/edit key composes a file path. Reject anything that
+    // could escape the _sections/ folder before we hit the GitHub API.
+    for (const s of sections) {
+      if (!isSafeKey(s?.key)) {
+        return Response.json({ error: `invalid section key: ${s?.key}` }, { status: 400 })
+      }
+    }
+    for (const e of edits) {
+      if (!isSafeKey(e?.key)) {
+        return Response.json({ error: `invalid edit key: ${e?.key}` }, { status: 400 })
+      }
     }
 
-    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    const denied = await guardPageAccess(
+      parseSession(cookies.get('setzkasten_session')?.value),
+      pageKey,
+      fullConfig,
+      request,
+    )
     if (denied) return denied
 
     const headers = {
@@ -73,11 +96,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const files: Array<{ path: string; content: string }> = [
       { path: pageConfigPath, content: JSON.stringify(pageConfig, null, 2) },
-      ...sections.map(s => ({
+      ...sections.map((s) => ({
         path: `${contentPath}/_sections/${s.key}.json`,
         content: JSON.stringify(s.content, null, 2),
       })),
-      ...edits.map(s => ({
+      ...edits.map((s) => ({
         path: `${contentPath}/_sections/${s.key}.json`,
         content: JSON.stringify(s.content, null, 2),
       })),
@@ -90,15 +113,15 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     // run convertToSetHtml (idempotent — no-op if already converted), and
     // include the patched template in the same batch commit.
     const sectionsWithHtml = [...sections, ...edits]
-      .filter(s => containsHtmlValue(s.content))
-      .map(s => s.key)
+      .filter((s) => containsHtmlValue(s.content))
+      .map((s) => s.key)
     const projectPrefix = (storage as { projectPrefix?: string }).projectPrefix
     for (const sectionKey of sectionsWithHtml) {
       const componentPath = prefixPath(
         `src/components/sections/${pascalCase(sectionKey)}Section.astro`,
         projectPrefix ?? '',
       )
-      if (files.some(f => f.path === componentPath)) continue
+      if (files.some((f) => f.path === componentPath)) continue
       const original = await fetchFileContent(owner, repo, branch, componentPath, githubToken)
       if (!original) continue
       const patched = convertToSetHtml(original)
@@ -124,11 +147,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
 
     const parts: string[] = []
     if (sections.length > 0) {
-      const keys = sections.map(s => s.key).join(', ')
+      const keys = sections.map((s) => s.key).join(', ')
       parts.push(`add ${sections.length} section${sections.length > 1 ? 's' : ''} (${keys})`)
     }
     if (edits.length > 0) {
-      const keys = edits.map(s => s.key).join(', ')
+      const keys = edits.map((s) => s.key).join(', ')
       parts.push(`update ${edits.length} section${edits.length > 1 ? 's' : ''} (${keys})`)
     }
     const editorEmail = parseSession(cookies.get('setzkasten_session')?.value)?.user?.email
@@ -146,9 +169,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const repoRoot: string | undefined = serverConfig?.repoRoot
     if (repoRoot) {
       await Promise.all(
-        files.map(f => writeFile(join(repoRoot, f.path), f.content, 'utf-8').catch(() => {
-          // Non-fatal: local sync is best-effort (e.g. read-only FS in some CI envs)
-        })),
+        files.map((f) =>
+          writeFile(join(repoRoot, f.path), f.content, 'utf-8').catch(() => {
+            // Non-fatal: local sync is best-effort (e.g. read-only FS in some CI envs)
+          }),
+        ),
       )
     }
 
@@ -196,7 +221,7 @@ function pascalCase(input: string): string {
   return input
     .split(/[-_\s]+/)
     .filter(Boolean)
-    .map(s => s.charAt(0).toUpperCase() + s.slice(1))
+    .map((s) => s.charAt(0).toUpperCase() + s.slice(1))
     .join('')
 }
 
@@ -219,7 +244,7 @@ async function fetchFileContent(
       },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
+    const data = (await res.json()) as { content: string; encoding: string }
     return data.encoding === 'base64'
       ? Buffer.from(data.content, 'base64').toString('utf-8')
       : data.content
@@ -229,37 +254,65 @@ async function fetchFileContent(
 }
 
 async function batchCommit(
-  owner: string, repo: string, branch: string,
+  owner: string,
+  repo: string,
+  branch: string,
   files: Array<{ path: string; content: string }>,
   message: string,
   headers: Record<string, string>,
 ): Promise<{ ok: true; sha: string } | { ok: false; error: string }> {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers })
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers },
+    )
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` }
-    const { object: { sha: headSha } } = await refRes.json() as { object: { sha: string } }
+    const {
+      object: { sha: headSha },
+    } = (await refRes.json()) as { object: { sha: string } }
 
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers })
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers },
+    )
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` }
-    const { tree: { sha: baseSha } } = await commitRes.json() as { tree: { sha: string } }
+    const {
+      tree: { sha: baseSha },
+    } = (await commitRes.json()) as { tree: { sha: string } }
 
     const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
-      method: 'POST', headers,
-      body: JSON.stringify({ base_tree: baseSha, tree: files.map(f => ({ path: f.path, mode: '100644', type: 'blob', content: f.content })) }),
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        base_tree: baseSha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: '100644',
+          type: 'blob',
+          content: f.content,
+        })),
+      }),
     })
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` }
-    const { sha: treeSha } = await treeRes.json() as { sha: string }
+    const { sha: treeSha } = (await treeRes.json()) as { sha: string }
 
     const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
-      method: 'POST', headers,
+      method: 'POST',
+      headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message }),
     })
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
-    const { sha: newSha } = await newCommitRes.json() as { sha: string }
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
+    const { sha: newSha } = (await newCommitRes.json()) as { sha: string }
 
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: 'PATCH', headers, body: JSON.stringify({ sha: newSha }),
-    })
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: 'PATCH',
+        headers,
+        body: JSON.stringify({ sha: newSha }),
+      },
+    )
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` }
 
     return { ok: true, sha: newSha }

package/src/api-routes/section-delete.ts

@@ -1,9 +1,10 @@
+import { isSafeKey } from '@setzkasten-cms/core'
 import type { APIRoute } from 'astro'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
-import { removeFromPageConfig } from './section-management'
-import { parseSession, guardPageAccess } from './_auth-guard'
+import { guardPageAccess, parseSession } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
+import { removeFromPageConfig } from './section-management'
 
 /**
  * DELETE /api/setzkasten/sections
@@ -26,7 +27,7 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       pageKey: string
       sectionKey: string
       owner?: string
@@ -47,8 +48,19 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
     if (!pageKey || !sectionKey) {
       return Response.json({ error: 'pageKey and sectionKey are required' }, { status: 400 })
     }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: 'invalid pageKey' }, { status: 400 })
+    }
+    if (!isSafeKey(sectionKey)) {
+      return Response.json({ error: 'invalid sectionKey' }, { status: 400 })
+    }
 
-    const denied = await guardPageAccess(parseSession(cookies.get('setzkasten_session')?.value), pageKey, fullConfig, request)
+    const denied = await guardPageAccess(
+      parseSession(cookies.get('setzkasten_session')?.value),
+      pageKey,
+      fullConfig,
+      request,
+    )
     if (denied) return denied
 
     const headers = {
@@ -72,7 +84,9 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
     const sectionJsonPath = `${contentPath}/_sections/${sectionKey}.json`
 
     const commitResult = await batchCommitWithDeletions(
-      owner, repo, branch,
+      owner,
+      repo,
+      branch,
       [{ path: pageConfigPath, content: JSON.stringify(updatedConfig, null, 2) }],
       [sectionJsonPath],
       withTrailers(
@@ -114,57 +128,92 @@ export const DELETE: APIRoute = async ({ request, cookies }) => {
   }
 }
 
-async function fetchFileContent(owner: string, repo: string, branch: string, path: string, token: string): Promise<string | null> {
+async function fetchFileContent(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  token: string,
+): Promise<string | null> {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    return data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
-  } catch { return null }
+    const data = (await res.json()) as { content: string; encoding: string }
+    return data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  } catch {
+    return null
+  }
 }
 
 async function batchCommitWithDeletions(
-  owner: string, repo: string, branch: string,
+  owner: string,
+  repo: string,
+  branch: string,
   upserts: Array<{ path: string; content: string }>,
   deletions: string[],
   message: string,
   headers: Record<string, string>,
 ): Promise<{ ok: true; sha: string } | { ok: false; error: string }> {
   try {
-    const refRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, { headers })
+    const refRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      { headers },
+    )
     if (!refRes.ok) return { ok: false, error: `Failed to get HEAD: ${refRes.status}` }
-    const { object: { sha: headSha } } = await refRes.json() as { object: { sha: string } }
+    const {
+      object: { sha: headSha },
+    } = (await refRes.json()) as { object: { sha: string } }
 
-    const commitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`, { headers })
+    const commitRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/commits/${headSha}`,
+      { headers },
+    )
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` }
-    const { tree: { sha: baseSha } } = await commitRes.json() as { tree: { sha: string } }
+    const {
+      tree: { sha: baseSha },
+    } = (await commitRes.json()) as { tree: { sha: string } }
 
     const tree = [
-      ...upserts.map(f => ({ path: f.path, mode: '100644', type: 'blob', content: f.content })),
-      ...deletions.map(path => ({ path, mode: '100644', type: 'blob', sha: null })),
+      ...upserts.map((f) => ({ path: f.path, mode: '100644', type: 'blob', content: f.content })),
+      ...deletions.map((path) => ({ path, mode: '100644', type: 'blob', sha: null })),
     ]
 
     const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
-      method: 'POST', headers,
+      method: 'POST',
+      headers,
       body: JSON.stringify({ base_tree: baseSha, tree }),
     })
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` }
-    const { sha: treeSha } = await treeRes.json() as { sha: string }
+    const { sha: treeSha } = (await treeRes.json()) as { sha: string }
 
     const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
-      method: 'POST', headers,
+      method: 'POST',
+      headers,
       body: JSON.stringify({ tree: treeSha, parents: [headSha], message }),
     })
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
-    const { sha: newSha } = await newCommitRes.json() as { sha: string }
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` }
+    const { sha: newSha } = (await newCommitRes.json()) as { sha: string }
 
-    const updateRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`, {
-      method: 'PATCH', headers,
-      body: JSON.stringify({ sha: newSha }),
-    })
+    const updateRes = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,
+      {
+        method: 'PATCH',
+        headers,
+        body: JSON.stringify({ sha: newSha }),
+      },
+    )
     if (!updateRes.ok) return { ok: false, error: `Failed to update ref: ${updateRes.status}` }
 
     return { ok: true, sha: newSha }