@setzkasten-cms/astro-admin 1.4.2 → 1.5.0

package/dist/{chunk-AM4DZXXM.js → chunk-UJAFZEX2.js}

@@ -1,6 +1,6 @@
 import {
   parseSession
-} from "./chunk-INIWFKQ3.js";
+} from "./chunk-Q5HV47DW.js";
 import {
   resolveStorageConfig
 } from "./chunk-6UIKVKED.js";
@@ -10,7 +10,7 @@ import {
 } from "./chunk-45ARVNT3.js";
 import {
   resolveConfigRepoToken
-} from "./chunk-NKDATSPA.js";
+} from "./chunk-DP6RTINQ.js";
 import {
   withTrailers
 } from "./chunk-KH22FJO5.js";
@@ -27,12 +27,17 @@ var PUT = async ({ request, cookies }) => {
   const session = parseSession(cookies.get("setzkasten_session")?.value);
   if (!session) return new Response("Unauthorized", { status: 401 });
   if (session.user.role !== "admin") return new Response("Forbidden", { status: 403 });
-  let patch;
+  let raw;
   try {
-    patch = await request.json();
+    raw = await request.json();
   } catch {
     return Response.json({ error: "Invalid request body" }, { status: 400 });
   }
+  const validated = validateGlobalConfigPatch(raw);
+  if (!validated.ok) {
+    return Response.json({ error: validated.error }, { status: 400 });
+  }
+  const patch = validated.value;
   const current = await readGlobalConfig() ?? {};
   const next = { ...current };
   for (const [k, v] of Object.entries(patch)) {
@@ -42,6 +47,61 @@ var PUT = async ({ request, cookies }) => {
   await writeGlobalConfig(next);
   return Response.json({ ok: true });
 };
+function validateGlobalConfigPatch(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return { ok: false, error: "Body must be a JSON object" };
+  }
+  const o = input;
+  const out = {};
+  if ("firebaseConfig" in o) {
+    if (o.firebaseConfig === null) {
+      ;
+      out.firebaseConfig = null;
+    } else {
+      if (!o.firebaseConfig || typeof o.firebaseConfig !== "object") {
+        return { ok: false, error: "firebaseConfig must be an object or null" };
+      }
+      const fc = o.firebaseConfig;
+      for (const k of ["apiKey", "authDomain", "projectId"]) {
+        if (typeof fc[k] !== "string" || !fc[k]) {
+          return { ok: false, error: `firebaseConfig.${k} must be a non-empty string` };
+        }
+      }
+      out.firebaseConfig = {
+        apiKey: fc.apiKey,
+        authDomain: fc.authDomain,
+        projectId: fc.projectId
+      };
+    }
+  }
+  if ("theme" in o) {
+    if (o.theme === null) {
+      ;
+      out.theme = null;
+    } else {
+      if (!o.theme || typeof o.theme !== "object") {
+        return { ok: false, error: "theme must be an object or null" };
+      }
+      const t = o.theme;
+      const theme = {};
+      for (const k of ["primaryColor", "brandName", "logo"]) {
+        if (k in t) {
+          if (typeof t[k] !== "string") {
+            return { ok: false, error: `theme.${k} must be a string` };
+          }
+          theme[k] = t[k];
+        }
+      }
+      out.theme = theme;
+    }
+  }
+  for (const k of Object.keys(o)) {
+    if (k !== "firebaseConfig" && k !== "theme") {
+      return { ok: false, error: `unknown top-level field: ${k}` };
+    }
+  }
+  return { ok: true, value: out };
+}
 async function getStorageParams() {
   const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
   const storage = resolveStorageConfig();
@@ -64,7 +124,13 @@ async function readGlobalConfig() {
   return cachedFetch(key, 5 * 6e4, async () => {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${GLOBAL_CONFIG_FILE(contentPath)}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
     );
     if (!res.ok) return null;
     const data = await res.json();
@@ -102,10 +168,11 @@ async function writeGlobalConfig(config) {
     branch
   };
   if (sha) body.sha = sha;
-  const res = await fetch(
-    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
-    { method: "PUT", headers, body: JSON.stringify(body) }
-  );
+  const res = await fetch(`https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`, {
+    method: "PUT",
+    headers,
+    body: JSON.stringify(body)
+  });
   if (!res.ok) {
     const text = await res.text();
     throw new Error(`GitHub write failed: ${text}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@setzkasten-cms/astro-admin",
-  "version": "1.4.2",
+  "version": "1.5.0",
   "description": "Setzkasten Admin-UI, Init-Wizard und Adoptions-Pipeline für Astro",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
@@ -226,6 +226,11 @@
       "import": "./dist/api-routes/setup-github-app-bounce.js",
       "default": "./dist/api-routes/setup-github-app-bounce.js"
     },
+    "./setup-github-app-credentials": {
+      "types": "./dist/api-routes/setup-github-app-credentials.d.ts",
+      "import": "./dist/api-routes/setup-github-app-credentials.js",
+      "default": "./dist/api-routes/setup-github-app-credentials.js"
+    },
     "./setup-github-app-repos": {
       "types": "./dist/api-routes/setup-github-app-repos.d.ts",
       "import": "./dist/api-routes/setup-github-app-repos.js",
@@ -270,11 +275,11 @@
   },
   "dependencies": {
     "@astrojs/compiler": "^3.0.0",
-    "@setzkasten-cms/auth": "1.4.2",
-    "@setzkasten-cms/catalog": "1.4.2",
-    "@setzkasten-cms/core": "1.4.2",
-    "@setzkasten-cms/github-adapter": "1.4.2",
-    "@setzkasten-cms/ui": "1.4.2"
+    "@setzkasten-cms/auth": "1.5.0",
+    "@setzkasten-cms/core": "1.5.0",
+    "@setzkasten-cms/catalog": "1.5.0",
+    "@setzkasten-cms/github-adapter": "1.5.0",
+    "@setzkasten-cms/ui": "1.5.0"
   },
   "peerDependencies": {
     "astro": "^5.0.0",
@@ -285,6 +290,7 @@
     "build": "tsup",
     "typecheck": "tsc --noEmit",
     "test": "vitest run",
+    "coverage": "vitest run --coverage",
     "test:watch": "vitest"
   }
 }

package/src/api-routes/__tests__/_session-signing.test.ts

@@ -0,0 +1,114 @@
+import type { AuthSession } from '@setzkasten-cms/core'
+import { describe, expect, it } from 'vitest'
+import { signSession, verifySessionCookie } from '../_session-signing'
+
+const SECRET = 'test-secret-do-not-use-in-production-32bytes-min'
+
+const VALID_SESSION: AuthSession = {
+  user: {
+    id: 'u-1',
+    email: 'a@example.com',
+    name: 'A',
+    provider: 'github',
+    role: 'admin',
+  },
+  expiresAt: Date.now() + 60_000,
+}
+
+describe('signSession + verifySessionCookie', () => {
+  it('round-trips a valid payload', () => {
+    const cookie = signSession(VALID_SESSION, SECRET)
+    const result = verifySessionCookie(cookie, SECRET)
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.value.user.email).toBe('a@example.com')
+      expect(result.value.user.role).toBe('admin')
+    }
+  })
+
+  it('rejects a tampered payload (role escalation attempt)', () => {
+    const cookie = signSession(
+      { ...VALID_SESSION, user: { ...VALID_SESSION.user, role: 'editor' } },
+      SECRET,
+    )
+    const [, sig] = cookie.split('.')
+    // Re-encode the payload with role: 'admin' but keep the original signature.
+    const forgedPayload = Buffer.from(
+      JSON.stringify({ ...VALID_SESSION, user: { ...VALID_SESSION.user, role: 'admin' } }),
+    ).toString('base64url')
+    const forged = `${forgedPayload}.${sig}`
+
+    const result = verifySessionCookie(forged, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects a tampered signature', () => {
+    const cookie = signSession(VALID_SESSION, SECRET)
+    const [payload] = cookie.split('.')
+    const result = verifySessionCookie(`${payload}.AAAAAAAAAAAA`, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects an expired session', () => {
+    const expired: AuthSession = { ...VALID_SESSION, expiresAt: Date.now() - 1 }
+    const cookie = signSession(expired, SECRET)
+    const result = verifySessionCookie(cookie, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects a session with expiresAt in the distant future (max-age cap)', () => {
+    // An attacker who got an old cookie can't push the expiry forever.
+    // Honest: we don't enforce a server-side max age (besides cookie
+    // maxAge), but the signing layer must at minimum require a numeric
+    // expiresAt — guard against missing/bogus types.
+    const noExpiry = { ...VALID_SESSION, expiresAt: undefined as unknown as number }
+    const cookie = signSession(noExpiry, SECRET)
+    const result = verifySessionCookie(cookie, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects a cookie signed with a different secret', () => {
+    const cookie = signSession(VALID_SESSION, SECRET)
+    const result = verifySessionCookie(cookie, 'different-secret-still-32-bytes-or-longer')
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects an unsigned plain JSON cookie (legacy format)', () => {
+    // Pre-C1 cookies were `JSON.stringify(session)`. Those must not pass
+    // verification — users get logged out and re-auth, which is correct.
+    const legacy = JSON.stringify(VALID_SESSION)
+    const result = verifySessionCookie(legacy, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects malformed cookies', () => {
+    expect(verifySessionCookie('', SECRET).ok).toBe(false)
+    expect(verifySessionCookie('only-one-segment', SECRET).ok).toBe(false)
+    expect(verifySessionCookie('a.b.c', SECRET).ok).toBe(false)
+    expect(verifySessionCookie('!.!', SECRET).ok).toBe(false)
+  })
+
+  it('uses constant-time comparison (no early exit on length mismatch)', () => {
+    // We can't directly assert timing, but we can assert that the API
+    // doesn't throw on signature length mismatch — a naïve `===` on
+    // buffers would. This guards against accidental refactor regressions.
+    const cookie = signSession(VALID_SESSION, SECRET)
+    const [payload] = cookie.split('.')
+    expect(verifySessionCookie(`${payload}.x`, SECRET).ok).toBe(false)
+    expect(verifySessionCookie(`${payload}.${'A'.repeat(200)}`, SECRET).ok).toBe(false)
+  })
+
+  it('refuses to sign without a secret', () => {
+    expect(() => signSession(VALID_SESSION, '')).toThrow()
+    expect(() => signSession(VALID_SESSION, '   ')).toThrow()
+  })
+
+  it('respects a custom `now` value for testing (deterministic expiry)', () => {
+    const cookie = signSession(VALID_SESSION, SECRET)
+    // 1 ms before expiry: ok. 1 ms after: rejected.
+    const ok = verifySessionCookie(cookie, SECRET, VALID_SESSION.expiresAt - 1)
+    const expired = verifySessionCookie(cookie, SECRET, VALID_SESSION.expiresAt + 1)
+    expect(ok.ok).toBe(true)
+    expect(expired.ok).toBe(false)
+  })
+})

package/src/api-routes/__tests__/_session-test-helper.ts

@@ -0,0 +1,27 @@
+/**
+ * Test-only helper to mint signed session cookies. Pre-C1 tests used
+ * `JSON.stringify` and expected `parseSession` to accept it — that's
+ * exactly the forgery surface the production code now rejects.
+ *
+ * On import, this module pins `SETZKASTEN_SESSION_SECRET` so that the
+ * production resolver returns the same secret the helper signs with.
+ * No filesystem touch (avoids creating .setzkasten/dev-secret during
+ * test runs).
+ */
+import type { AuthSession } from '@setzkasten-cms/core'
+import { __setDevSessionSecretForTests } from '../_dev-session-secret'
+import { signSession } from '../_session-signing'
+
+const TEST_SECRET = 'sk-test-fixed-secret-32-bytes-min-vitest-deterministic-runs-v1'
+
+// Env var is the first lookup in the resolver — set it once on module
+// load so all callers, including ones that don't import this helper
+// directly but transitively touch parseSession, see the same value.
+process.env.SETZKASTEN_SESSION_SECRET = TEST_SECRET
+// Also seed the dev cache so the file-based fallback never triggers
+// even if the env var is unset in some test that resets globals.
+__setDevSessionSecretForTests(TEST_SECRET)
+
+export function makeTestSessionCookie(session: AuthSession): string {
+  return signSession(session, TEST_SECRET)
+}

package/src/api-routes/__tests__/add-section-helpers.test.ts

@@ -14,7 +14,7 @@
  *   6. calculateRelativePath: correct relative paths for various depths
  */
 
-import { describe, it, expect } from 'vitest'
+import { describe, expect, it } from 'vitest'
 
 // ---------------------------------------------------------------------------
 // Helpers under test — re-implemented inline so we can test them without
@@ -26,15 +26,24 @@ import { describe, it, expect } from 'vitest'
 
 function getDefaultValue(fieldType: string): unknown {
   switch (fieldType) {
-    case 'text': return ''
-    case 'number': return 0
-    case 'boolean': return false
-    case 'image': return { path: '', alt: '' }
-    case 'array': return []
-    case 'color': return '#000000'
-    case 'date': return ''
-    case 'icon': return ''
-    default: return ''
+    case 'text':
+      return ''
+    case 'number':
+      return 0
+    case 'boolean':
+      return false
+    case 'image':
+      return { path: '', alt: '' }
+    case 'array':
+      return []
+    case 'color':
+      return '#000000'
+    case 'date':
+      return ''
+    case 'icon':
+      return ''
+    default:
+      return ''
   }
 }
 
@@ -106,12 +115,10 @@ function buildPageConfig(
   return { sections: [{ key: sectionKey, enabled: true }] }
 }
 
-/** Build the sk-preview clone: strip prerender, fix import depths */
-function buildPreviewClone(patchedSource: string): string {
-  return patchedSource
-    .replace(/\bexport\s+const\s+prerender\s*=\s*true\s*;?\s*\n?/, '')
-    .replace(/(from\s+')(\.\.\/)/g, '$1../$2')
-    .replace(/(from\s+")(\.\.\/)/g, '$1../$2')
+/** Build a thin SSR wrapper that imports the production page as a component */
+function buildPreviewClone(relativePage: string): string {
+  const importDepth = '../'.repeat(relativePage.split('/').length)
+  return `---\nexport const prerender = false;\nimport Page from '${importDepth}${relativePage}';\n---\n<Page />\n`
 }
 
 // ---------------------------------------------------------------------------
@@ -153,20 +160,32 @@ describe('Content JSON generation', () => {
   ]
 
   it('should use defaultValue when provided', () => {
-    const data = buildSectionData({}, fields, fields.map(f => f.key))
+    const data = buildSectionData(
+      {},
+      fields,
+      fields.map((f) => f.key),
+    )
     expect(data.heading).toBe('Hello')
     expect(data.count).toBe(42)
     expect(data.items).toEqual(['a', 'b'])
   })
 
   it('should fall back to getDefaultValue when defaultValue is absent', () => {
-    const data = buildSectionData({}, fields, fields.map(f => f.key))
+    const data = buildSectionData(
+      {},
+      fields,
+      fields.map((f) => f.key),
+    )
     expect(data.active).toBe(false)
   })
 
   it('should not overwrite existing values on re-adoption', () => {
     const existing = { heading: 'Existing Title', count: 99 }
-    const data = buildSectionData(existing, fields, fields.map(f => f.key))
+    const data = buildSectionData(
+      existing,
+      fields,
+      fields.map((f) => f.key),
+    )
     expect(data.heading).toBe('Existing Title')
     expect(data.count).toBe(99)
   })
@@ -225,50 +244,35 @@ describe('Page config — section deduplication', () => {
 })
 
 // ---------------------------------------------------------------------------
-// 4. sk-preview clone — prerender removal and import depth fix
+// 4. sk-preview clone — thin wrapper with correct import depth
 // ---------------------------------------------------------------------------
 
 describe('sk-preview clone generation', () => {
-  const patched = `---
-export const prerender = true;
-import BaseLayout from '../../layouts/BaseLayout.astro';
-import { getSection } from 'setzkasten:content'
-const skData = getSection('_page_docs_architecture')
----
-
-<BaseLayout>
-  <section id="section-_page_docs_architecture">
-    <h1 set:html={skData?.heading ?? 'Architektur'} />
-  </section>
-</BaseLayout>
-`
-
-  it('should remove the prerender export', () => {
-    const clone = buildPreviewClone(patched)
-    expect(clone).not.toContain('export const prerender')
+  it('top-level page: imports with one ../', () => {
+    const clone = buildPreviewClone('impressum.astro')
+    expect(clone).toBe(
+      "---\nexport const prerender = false;\nimport Page from '../impressum.astro';\n---\n<Page />\n",
+    )
   })
 
-  it('should add an extra ../ level to relative imports', () => {
-    const clone = buildPreviewClone(patched)
-    // Original: '../../layouts/BaseLayout.astro'
-    // After fix: '../../../layouts/BaseLayout.astro'
-    expect(clone).toContain("from '../../../layouts/BaseLayout.astro'")
+  it('nested page: imports with correct depth', () => {
+    const clone = buildPreviewClone('docs/index.astro')
+    expect(clone).toContain("import Page from '../../docs/index.astro'")
   })
 
-  it('should not touch absolute module imports', () => {
-    const clone = buildPreviewClone(patched)
-    expect(clone).toContain("from 'setzkasten:content'")
+  it('three-level page: imports with three ../', () => {
+    const clone = buildPreviewClone('docs/api/reference.astro')
+    expect(clone).toContain("import Page from '../../../docs/api/reference.astro'")
   })
 
-  it('should preserve getSection call', () => {
-    const clone = buildPreviewClone(patched)
-    expect(clone).toContain("getSection('_page_docs_architecture')")
+  it('always has export const prerender = false', () => {
+    const clone = buildPreviewClone('impressum.astro')
+    expect(clone).toContain('export const prerender = false')
   })
 
-  it('should handle double-quoted imports too', () => {
-    const dq = patched.replace("from '../../layouts", 'from "../../layouts').replace("BaseLayout.astro'", 'BaseLayout.astro"')
-    const clone = buildPreviewClone(dq)
-    expect(clone).toContain('../../../layouts/BaseLayout.astro')
+  it('renders as <Page />', () => {
+    const clone = buildPreviewClone('impressum.astro')
+    expect(clone).toContain('<Page />')
   })
 })
 
@@ -278,28 +282,36 @@ const skData = getSection('_page_docs_architecture')
 
 describe('calculateRelativePath', () => {
   it('same directory', () => {
-    expect(calculateRelativePath('src/components', 'src/components/Hero.astro'))
-      .toBe('./Hero.astro')
+    expect(calculateRelativePath('src/components', 'src/components/Hero.astro')).toBe(
+      './Hero.astro',
+    )
   })
 
   it('one level up', () => {
-    expect(calculateRelativePath('src/pages', 'src/components/sections/HeroSection.astro'))
-      .toBe('../components/sections/HeroSection.astro')
+    expect(calculateRelativePath('src/pages', 'src/components/sections/HeroSection.astro')).toBe(
+      '../components/sections/HeroSection.astro',
+    )
   })
 
   it('two levels up', () => {
-    expect(calculateRelativePath('src/pages/docs', 'src/components/sections/HeroSection.astro'))
-      .toBe('../../components/sections/HeroSection.astro')
+    expect(
+      calculateRelativePath('src/pages/docs', 'src/components/sections/HeroSection.astro'),
+    ).toBe('../../components/sections/HeroSection.astro')
   })
 
   it('completely different paths', () => {
-    expect(calculateRelativePath('apps/website/src/pages', 'apps/website/src/components/sections/Footer.astro'))
-      .toBe('../components/sections/Footer.astro')
+    expect(
+      calculateRelativePath(
+        'apps/website/src/pages',
+        'apps/website/src/components/sections/Footer.astro',
+      ),
+    ).toBe('../components/sections/Footer.astro')
   })
 
   it('component in same folder as page', () => {
-    expect(calculateRelativePath('src/pages', 'src/pages/HeroSection.astro'))
-      .toBe('./HeroSection.astro')
+    expect(calculateRelativePath('src/pages', 'src/pages/HeroSection.astro')).toBe(
+      './HeroSection.astro',
+    )
   })
 })
 
@@ -309,16 +321,14 @@ describe('calculateRelativePath', () => {
 // When the UI sends pagePath='src/pages/docs.astro' but the actual file is
 // src/pages/docs/index.astro (directory route), the sk-preview clone must
 // be placed at sk-preview/docs/index.astro (NOT sk-preview/docs.astro).
-//
-// sk-preview/docs.astro (wrong): same depth as src/pages/sk-preview/
-//   → buildPreviewClone adds "../" → "../../layouts/" becomes "../../../layouts/" ✗
-//
-// sk-preview/docs/index.astro (correct): one level deeper in sk-preview/docs/
-//   → buildPreviewClone adds "../" → "../../layouts/" becomes "../../../layouts/" ✓
+// The import depth must match: docs/index.astro → '../../docs/index.astro'.
 // ---------------------------------------------------------------------------
 
 /** Simulate resolvedPagePath logic from init-add-section.ts step 4 */
-function resolvePagePath(bodyPagePath: string, fileExistsOnGitHub: (path: string) => boolean): string {
+function resolvePagePath(
+  bodyPagePath: string,
+  fileExistsOnGitHub: (path: string) => boolean,
+): string {
   if (fileExistsOnGitHub(bodyPagePath)) return bodyPagePath
   if (bodyPagePath.endsWith('.astro')) {
     const indexPath = bodyPagePath.replace(/\.astro$/, '/index.astro')
@@ -334,7 +344,6 @@ describe('Directory-route clone path (build-failure regression)', () => {
   })
 
   it('directory route: resolvedPagePath falls back to index.astro', () => {
-    // docs.astro does not exist, docs/index.astro does
     const resolved = resolvePagePath(
       'src/pages/docs.astro',
       (p) => p === 'src/pages/docs/index.astro',
@@ -342,42 +351,27 @@ describe('Directory-route clone path (build-failure regression)', () => {
     expect(resolved).toBe('src/pages/docs/index.astro')
   })
 
-  it('directory route: clone relativePage uses resolved path, not body path', () => {
-    const bodyPagePath = 'src/pages/docs.astro'
+  it('directory route: relativePage uses resolved path, not body path', () => {
     const resolved = resolvePagePath(
-      bodyPagePath,
+      'src/pages/docs.astro',
       (p) => p === 'src/pages/docs/index.astro',
     )
     const relativePage = resolved.replace(/^src\/pages\//, '')
-    // Must be 'docs/index.astro', NOT 'docs.astro'
     expect(relativePage).toBe('docs/index.astro')
     expect(relativePage).not.toBe('docs.astro')
   })
 
-  it('directory route clone gets correct import depth after buildPreviewClone', () => {
-    // src/pages/docs/index.astro imports '../../layouts/BaseLayout.astro'
-    // clone at sk-preview/docs/index.astro needs '../../../layouts/BaseLayout.astro'
-    const source = `---
-import BaseLayout from '../../layouts/BaseLayout.astro';
-import { getSection } from 'setzkasten:content'
-const skData = getSection('_page_docs')
----
-<BaseLayout><slot /></BaseLayout>
-`
-    const clone = buildPreviewClone(source)
-    expect(clone).toContain("from '../../../layouts/BaseLayout.astro'")
+  it('directory route: clone imports from correct depth', () => {
+    const clone = buildPreviewClone('docs/index.astro')
+    expect(clone).toContain("import Page from '../../docs/index.astro'")
   })
 
-  it('wrong clone path (docs.astro) would have incorrect import depth', () => {
-    // sk-preview/docs.astro is at same depth as sk-preview/*.astro
-    // It needs '../../layouts/' but buildPreviewClone would produce '../../../layouts/'
-    // This test documents the bug: if relativePage were 'docs.astro' instead of
-    // 'docs/index.astro', the clone ends up at the wrong path and imports break.
-    const bodyPagePath = 'src/pages/docs.astro'
-    const wrongRelativePage = bodyPagePath.replace(/^src\/pages\//, '') // 'docs.astro' ← the bug
-    expect(wrongRelativePage).toBe('docs.astro')
-    // The CORRECT relative page (after fix):
-    const correctRelativePage = 'src/pages/docs/index.astro'.replace(/^src\/pages\//, '')
-    expect(correctRelativePage).toBe('docs/index.astro')
+  it('wrong relativePage (docs.astro) produces shallow import depth', () => {
+    // Documents why resolved path matters: wrong path → wrong import
+    const wrongClone = buildPreviewClone('docs.astro')
+    expect(wrongClone).toContain("import Page from '../docs.astro'")
+    // vs correct:
+    const correctClone = buildPreviewClone('docs/index.astro')
+    expect(correctClone).toContain("import Page from '../../docs/index.astro'")
   })
 })