@setzkasten-cms/astro-admin 1.4.6 → 1.5.0

package/dist/{chunk-AM4DZXXM.js → chunk-UJAFZEX2.js}

@@ -1,6 +1,6 @@
 import {
   parseSession
-} from "./chunk-INIWFKQ3.js";
+} from "./chunk-Q5HV47DW.js";
 import {
   resolveStorageConfig
 } from "./chunk-6UIKVKED.js";
@@ -10,7 +10,7 @@ import {
 } from "./chunk-45ARVNT3.js";
 import {
   resolveConfigRepoToken
-} from "./chunk-NKDATSPA.js";
+} from "./chunk-DP6RTINQ.js";
 import {
   withTrailers
 } from "./chunk-KH22FJO5.js";
@@ -27,12 +27,17 @@ var PUT = async ({ request, cookies }) => {
   const session = parseSession(cookies.get("setzkasten_session")?.value);
   if (!session) return new Response("Unauthorized", { status: 401 });
   if (session.user.role !== "admin") return new Response("Forbidden", { status: 403 });
-  let patch;
+  let raw;
   try {
-    patch = await request.json();
+    raw = await request.json();
   } catch {
     return Response.json({ error: "Invalid request body" }, { status: 400 });
   }
+  const validated = validateGlobalConfigPatch(raw);
+  if (!validated.ok) {
+    return Response.json({ error: validated.error }, { status: 400 });
+  }
+  const patch = validated.value;
   const current = await readGlobalConfig() ?? {};
   const next = { ...current };
   for (const [k, v] of Object.entries(patch)) {
@@ -42,6 +47,61 @@ var PUT = async ({ request, cookies }) => {
   await writeGlobalConfig(next);
   return Response.json({ ok: true });
 };
+function validateGlobalConfigPatch(input) {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return { ok: false, error: "Body must be a JSON object" };
+  }
+  const o = input;
+  const out = {};
+  if ("firebaseConfig" in o) {
+    if (o.firebaseConfig === null) {
+      ;
+      out.firebaseConfig = null;
+    } else {
+      if (!o.firebaseConfig || typeof o.firebaseConfig !== "object") {
+        return { ok: false, error: "firebaseConfig must be an object or null" };
+      }
+      const fc = o.firebaseConfig;
+      for (const k of ["apiKey", "authDomain", "projectId"]) {
+        if (typeof fc[k] !== "string" || !fc[k]) {
+          return { ok: false, error: `firebaseConfig.${k} must be a non-empty string` };
+        }
+      }
+      out.firebaseConfig = {
+        apiKey: fc.apiKey,
+        authDomain: fc.authDomain,
+        projectId: fc.projectId
+      };
+    }
+  }
+  if ("theme" in o) {
+    if (o.theme === null) {
+      ;
+      out.theme = null;
+    } else {
+      if (!o.theme || typeof o.theme !== "object") {
+        return { ok: false, error: "theme must be an object or null" };
+      }
+      const t = o.theme;
+      const theme = {};
+      for (const k of ["primaryColor", "brandName", "logo"]) {
+        if (k in t) {
+          if (typeof t[k] !== "string") {
+            return { ok: false, error: `theme.${k} must be a string` };
+          }
+          theme[k] = t[k];
+        }
+      }
+      out.theme = theme;
+    }
+  }
+  for (const k of Object.keys(o)) {
+    if (k !== "firebaseConfig" && k !== "theme") {
+      return { ok: false, error: `unknown top-level field: ${k}` };
+    }
+  }
+  return { ok: true, value: out };
+}
 async function getStorageParams() {
   const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
   const storage = resolveStorageConfig();
@@ -64,7 +124,13 @@ async function readGlobalConfig() {
   return cachedFetch(key, 5 * 6e4, async () => {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${GLOBAL_CONFIG_FILE(contentPath)}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } }
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      }
     );
     if (!res.ok) return null;
     const data = await res.json();
@@ -102,10 +168,11 @@ async function writeGlobalConfig(config) {
     branch
   };
   if (sha) body.sha = sha;
-  const res = await fetch(
-    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
-    { method: "PUT", headers, body: JSON.stringify(body) }
-  );
+  const res = await fetch(`https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`, {
+    method: "PUT",
+    headers,
+    body: JSON.stringify(body)
+  });
   if (!res.ok) {
     const text = await res.text();
     throw new Error(`GitHub write failed: ${text}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@setzkasten-cms/astro-admin",
-  "version": "1.4.6",
+  "version": "1.5.0",
   "description": "Setzkasten Admin-UI, Init-Wizard und Adoptions-Pipeline für Astro",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
@@ -226,6 +226,11 @@
       "import": "./dist/api-routes/setup-github-app-bounce.js",
       "default": "./dist/api-routes/setup-github-app-bounce.js"
     },
+    "./setup-github-app-credentials": {
+      "types": "./dist/api-routes/setup-github-app-credentials.d.ts",
+      "import": "./dist/api-routes/setup-github-app-credentials.js",
+      "default": "./dist/api-routes/setup-github-app-credentials.js"
+    },
     "./setup-github-app-repos": {
       "types": "./dist/api-routes/setup-github-app-repos.d.ts",
       "import": "./dist/api-routes/setup-github-app-repos.js",
@@ -270,11 +275,11 @@
   },
   "dependencies": {
     "@astrojs/compiler": "^3.0.0",
-    "@setzkasten-cms/auth": "1.4.6",
-    "@setzkasten-cms/catalog": "1.4.6",
-    "@setzkasten-cms/core": "1.4.6",
-    "@setzkasten-cms/github-adapter": "1.4.6",
-    "@setzkasten-cms/ui": "1.4.6"
+    "@setzkasten-cms/auth": "1.5.0",
+    "@setzkasten-cms/core": "1.5.0",
+    "@setzkasten-cms/catalog": "1.5.0",
+    "@setzkasten-cms/github-adapter": "1.5.0",
+    "@setzkasten-cms/ui": "1.5.0"
   },
   "peerDependencies": {
     "astro": "^5.0.0",
@@ -285,6 +290,7 @@
     "build": "tsup",
     "typecheck": "tsc --noEmit",
     "test": "vitest run",
+    "coverage": "vitest run --coverage",
     "test:watch": "vitest"
   }
 }

package/src/api-routes/__tests__/_session-signing.test.ts

@@ -0,0 +1,114 @@
+import type { AuthSession } from '@setzkasten-cms/core'
+import { describe, expect, it } from 'vitest'
+import { signSession, verifySessionCookie } from '../_session-signing'
+
+const SECRET = 'test-secret-do-not-use-in-production-32bytes-min'
+
+const VALID_SESSION: AuthSession = {
+  user: {
+    id: 'u-1',
+    email: 'a@example.com',
+    name: 'A',
+    provider: 'github',
+    role: 'admin',
+  },
+  expiresAt: Date.now() + 60_000,
+}
+
+describe('signSession + verifySessionCookie', () => {
+  it('round-trips a valid payload', () => {
+    const cookie = signSession(VALID_SESSION, SECRET)
+    const result = verifySessionCookie(cookie, SECRET)
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.value.user.email).toBe('a@example.com')
+      expect(result.value.user.role).toBe('admin')
+    }
+  })
+
+  it('rejects a tampered payload (role escalation attempt)', () => {
+    const cookie = signSession(
+      { ...VALID_SESSION, user: { ...VALID_SESSION.user, role: 'editor' } },
+      SECRET,
+    )
+    const [, sig] = cookie.split('.')
+    // Re-encode the payload with role: 'admin' but keep the original signature.
+    const forgedPayload = Buffer.from(
+      JSON.stringify({ ...VALID_SESSION, user: { ...VALID_SESSION.user, role: 'admin' } }),
+    ).toString('base64url')
+    const forged = `${forgedPayload}.${sig}`
+
+    const result = verifySessionCookie(forged, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects a tampered signature', () => {
+    const cookie = signSession(VALID_SESSION, SECRET)
+    const [payload] = cookie.split('.')
+    const result = verifySessionCookie(`${payload}.AAAAAAAAAAAA`, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects an expired session', () => {
+    const expired: AuthSession = { ...VALID_SESSION, expiresAt: Date.now() - 1 }
+    const cookie = signSession(expired, SECRET)
+    const result = verifySessionCookie(cookie, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects a session with expiresAt in the distant future (max-age cap)', () => {
+    // An attacker who got an old cookie can't push the expiry forever.
+    // Honest: we don't enforce a server-side max age (besides cookie
+    // maxAge), but the signing layer must at minimum require a numeric
+    // expiresAt — guard against missing/bogus types.
+    const noExpiry = { ...VALID_SESSION, expiresAt: undefined as unknown as number }
+    const cookie = signSession(noExpiry, SECRET)
+    const result = verifySessionCookie(cookie, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects a cookie signed with a different secret', () => {
+    const cookie = signSession(VALID_SESSION, SECRET)
+    const result = verifySessionCookie(cookie, 'different-secret-still-32-bytes-or-longer')
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects an unsigned plain JSON cookie (legacy format)', () => {
+    // Pre-C1 cookies were `JSON.stringify(session)`. Those must not pass
+    // verification — users get logged out and re-auth, which is correct.
+    const legacy = JSON.stringify(VALID_SESSION)
+    const result = verifySessionCookie(legacy, SECRET)
+    expect(result.ok).toBe(false)
+  })
+
+  it('rejects malformed cookies', () => {
+    expect(verifySessionCookie('', SECRET).ok).toBe(false)
+    expect(verifySessionCookie('only-one-segment', SECRET).ok).toBe(false)
+    expect(verifySessionCookie('a.b.c', SECRET).ok).toBe(false)
+    expect(verifySessionCookie('!.!', SECRET).ok).toBe(false)
+  })
+
+  it('uses constant-time comparison (no early exit on length mismatch)', () => {
+    // We can't directly assert timing, but we can assert that the API
+    // doesn't throw on signature length mismatch — a naïve `===` on
+    // buffers would. This guards against accidental refactor regressions.
+    const cookie = signSession(VALID_SESSION, SECRET)
+    const [payload] = cookie.split('.')
+    expect(verifySessionCookie(`${payload}.x`, SECRET).ok).toBe(false)
+    expect(verifySessionCookie(`${payload}.${'A'.repeat(200)}`, SECRET).ok).toBe(false)
+  })
+
+  it('refuses to sign without a secret', () => {
+    expect(() => signSession(VALID_SESSION, '')).toThrow()
+    expect(() => signSession(VALID_SESSION, '   ')).toThrow()
+  })
+
+  it('respects a custom `now` value for testing (deterministic expiry)', () => {
+    const cookie = signSession(VALID_SESSION, SECRET)
+    // 1 ms before expiry: ok. 1 ms after: rejected.
+    const ok = verifySessionCookie(cookie, SECRET, VALID_SESSION.expiresAt - 1)
+    const expired = verifySessionCookie(cookie, SECRET, VALID_SESSION.expiresAt + 1)
+    expect(ok.ok).toBe(true)
+    expect(expired.ok).toBe(false)
+  })
+})

package/src/api-routes/__tests__/_session-test-helper.ts

@@ -0,0 +1,27 @@
+/**
+ * Test-only helper to mint signed session cookies. Pre-C1 tests used
+ * `JSON.stringify` and expected `parseSession` to accept it — that's
+ * exactly the forgery surface the production code now rejects.
+ *
+ * On import, this module pins `SETZKASTEN_SESSION_SECRET` so that the
+ * production resolver returns the same secret the helper signs with.
+ * No filesystem touch (avoids creating .setzkasten/dev-secret during
+ * test runs).
+ */
+import type { AuthSession } from '@setzkasten-cms/core'
+import { __setDevSessionSecretForTests } from '../_dev-session-secret'
+import { signSession } from '../_session-signing'
+
+const TEST_SECRET = 'sk-test-fixed-secret-32-bytes-min-vitest-deterministic-runs-v1'
+
+// Env var is the first lookup in the resolver — set it once on module
+// load so all callers, including ones that don't import this helper
+// directly but transitively touch parseSession, see the same value.
+process.env.SETZKASTEN_SESSION_SECRET = TEST_SECRET
+// Also seed the dev cache so the file-based fallback never triggers
+// even if the env var is unset in some test that resets globals.
+__setDevSessionSecretForTests(TEST_SECRET)
+
+export function makeTestSessionCookie(session: AuthSession): string {
+  return signSession(session, TEST_SECRET)
+}

package/src/api-routes/__tests__/add-section-helpers.test.ts

@@ -14,7 +14,7 @@
  *   6. calculateRelativePath: correct relative paths for various depths
  */
 
-import { describe, it, expect } from 'vitest'
+import { describe, expect, it } from 'vitest'
 
 // ---------------------------------------------------------------------------
 // Helpers under test — re-implemented inline so we can test them without
@@ -26,15 +26,24 @@ import { describe, it, expect } from 'vitest'
 
 function getDefaultValue(fieldType: string): unknown {
   switch (fieldType) {
-    case 'text': return ''
-    case 'number': return 0
-    case 'boolean': return false
-    case 'image': return { path: '', alt: '' }
-    case 'array': return []
-    case 'color': return '#000000'
-    case 'date': return ''
-    case 'icon': return ''
-    default: return ''
+    case 'text':
+      return ''
+    case 'number':
+      return 0
+    case 'boolean':
+      return false
+    case 'image':
+      return { path: '', alt: '' }
+    case 'array':
+      return []
+    case 'color':
+      return '#000000'
+    case 'date':
+      return ''
+    case 'icon':
+      return ''
+    default:
+      return ''
   }
 }
 
@@ -151,20 +160,32 @@ describe('Content JSON generation', () => {
   ]
 
   it('should use defaultValue when provided', () => {
-    const data = buildSectionData({}, fields, fields.map(f => f.key))
+    const data = buildSectionData(
+      {},
+      fields,
+      fields.map((f) => f.key),
+    )
     expect(data.heading).toBe('Hello')
     expect(data.count).toBe(42)
     expect(data.items).toEqual(['a', 'b'])
   })
 
   it('should fall back to getDefaultValue when defaultValue is absent', () => {
-    const data = buildSectionData({}, fields, fields.map(f => f.key))
+    const data = buildSectionData(
+      {},
+      fields,
+      fields.map((f) => f.key),
+    )
     expect(data.active).toBe(false)
   })
 
   it('should not overwrite existing values on re-adoption', () => {
     const existing = { heading: 'Existing Title', count: 99 }
-    const data = buildSectionData(existing, fields, fields.map(f => f.key))
+    const data = buildSectionData(
+      existing,
+      fields,
+      fields.map((f) => f.key),
+    )
     expect(data.heading).toBe('Existing Title')
     expect(data.count).toBe(99)
   })
@@ -229,7 +250,9 @@ describe('Page config — section deduplication', () => {
 describe('sk-preview clone generation', () => {
   it('top-level page: imports with one ../', () => {
     const clone = buildPreviewClone('impressum.astro')
-    expect(clone).toBe("---\nexport const prerender = false;\nimport Page from '../impressum.astro';\n---\n<Page />\n")
+    expect(clone).toBe(
+      "---\nexport const prerender = false;\nimport Page from '../impressum.astro';\n---\n<Page />\n",
+    )
   })
 
   it('nested page: imports with correct depth', () => {
@@ -259,28 +282,36 @@ describe('sk-preview clone generation', () => {
 
 describe('calculateRelativePath', () => {
   it('same directory', () => {
-    expect(calculateRelativePath('src/components', 'src/components/Hero.astro'))
-      .toBe('./Hero.astro')
+    expect(calculateRelativePath('src/components', 'src/components/Hero.astro')).toBe(
+      './Hero.astro',
+    )
   })
 
   it('one level up', () => {
-    expect(calculateRelativePath('src/pages', 'src/components/sections/HeroSection.astro'))
-      .toBe('../components/sections/HeroSection.astro')
+    expect(calculateRelativePath('src/pages', 'src/components/sections/HeroSection.astro')).toBe(
+      '../components/sections/HeroSection.astro',
+    )
   })
 
   it('two levels up', () => {
-    expect(calculateRelativePath('src/pages/docs', 'src/components/sections/HeroSection.astro'))
-      .toBe('../../components/sections/HeroSection.astro')
+    expect(
+      calculateRelativePath('src/pages/docs', 'src/components/sections/HeroSection.astro'),
+    ).toBe('../../components/sections/HeroSection.astro')
   })
 
   it('completely different paths', () => {
-    expect(calculateRelativePath('apps/website/src/pages', 'apps/website/src/components/sections/Footer.astro'))
-      .toBe('../components/sections/Footer.astro')
+    expect(
+      calculateRelativePath(
+        'apps/website/src/pages',
+        'apps/website/src/components/sections/Footer.astro',
+      ),
+    ).toBe('../components/sections/Footer.astro')
   })
 
   it('component in same folder as page', () => {
-    expect(calculateRelativePath('src/pages', 'src/pages/HeroSection.astro'))
-      .toBe('./HeroSection.astro')
+    expect(calculateRelativePath('src/pages', 'src/pages/HeroSection.astro')).toBe(
+      './HeroSection.astro',
+    )
   })
 })
 
@@ -294,7 +325,10 @@ describe('calculateRelativePath', () => {
 // ---------------------------------------------------------------------------
 
 /** Simulate resolvedPagePath logic from init-add-section.ts step 4 */
-function resolvePagePath(bodyPagePath: string, fileExistsOnGitHub: (path: string) => boolean): string {
+function resolvePagePath(
+  bodyPagePath: string,
+  fileExistsOnGitHub: (path: string) => boolean,
+): string {
   if (fileExistsOnGitHub(bodyPagePath)) return bodyPagePath
   if (bodyPagePath.endsWith('.astro')) {
     const indexPath = bodyPagePath.replace(/\.astro$/, '/index.astro')

package/src/api-routes/__tests__/auth-guard.test.ts

@@ -1,17 +1,24 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest'
-import { parseSession, guardPageAccess } from '../_auth-guard'
 import type { AuthSession, SetzKastenConfig } from '@setzkasten-cms/core'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+import { guardPageAccess, parseSession } from '../_auth-guard'
+import { makeTestSessionCookie } from './_session-test-helper'
 
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 
 function adminSession(): AuthSession {
-  return { user: { id: '1', email: 'admin@example.com', provider: 'github', role: 'admin' }, expiresAt: Date.now() + 86400_000 }
+  return {
+    user: { id: '1', email: 'admin@example.com', provider: 'github', role: 'admin' },
+    expiresAt: Date.now() + 86400_000,
+  }
 }
 
 function editorSession(email = 'editor@example.com'): AuthSession {
-  return { user: { id: '2', email, provider: 'google', role: 'editor' }, expiresAt: Date.now() + 86400_000 }
+  return {
+    user: { id: '2', email, provider: 'google', role: 'editor' },
+    expiresAt: Date.now() + 86400_000,
+  }
 }
 
 const baseConfig: SetzKastenConfig = {
@@ -33,9 +40,37 @@ describe('parseSession', () => {
     expect(parseSession('not-json')).toBeNull()
   })
 
-  it('parses a valid session cookie', () => {
+  it('rejects an unsigned plain-JSON cookie (legacy / forged format)', () => {
+    // Pre-C1 the cookie was JSON.stringify(session) — anyone could forge
+    // any role. parseSession must refuse the old format outright.
     const session = adminSession()
-    expect(parseSession(JSON.stringify(session))).toEqual(session)
+    expect(parseSession(JSON.stringify(session))).toBeNull()
+  })
+
+  it('accepts a properly signed session cookie', () => {
+    const session = adminSession()
+    expect(parseSession(makeTestSessionCookie(session))).toEqual(session)
+  })
+
+  it('rejects an expired signed session', () => {
+    const expired: AuthSession = {
+      user: { id: '1', email: 'admin@example.com', provider: 'github', role: 'admin' },
+      expiresAt: Date.now() - 1,
+    }
+    expect(parseSession(makeTestSessionCookie(expired))).toBeNull()
+  })
+
+  it('rejects a tampered payload (role escalation forgery)', () => {
+    const editor: AuthSession = {
+      user: { id: '2', email: 'e@example.com', provider: 'google', role: 'editor' },
+      expiresAt: Date.now() + 60_000,
+    }
+    const cookie = makeTestSessionCookie(editor)
+    const [, sig] = cookie.split('.')
+    const forgedPayload = Buffer.from(
+      JSON.stringify({ ...editor, user: { ...editor.user, role: 'admin' } }),
+    ).toString('base64url')
+    expect(parseSession(`${forgedPayload}.${sig}`)).toBeNull()
   })
 })
 
@@ -103,7 +138,11 @@ describe('guardPageAccess – dynamic editors', () => {
       kind: 'present',
       editors: [{ email: 'editor@example.com' }],
     })
-    const res = await guardPageAccess(editorSession('editor@example.com'), 'secret-page', baseConfig)
+    const res = await guardPageAccess(
+      editorSession('editor@example.com'),
+      'secret-page',
+      baseConfig,
+    )
     expect(res).toBeNull()
   })
 

package/src/api-routes/__tests__/catalog-api.test.ts

@@ -10,11 +10,11 @@
  *   3. buildCatalogAddCommit  — builds file paths for a catalog add commit
  */
 
-import { describe, it, expect } from 'vitest'
+import { describe, expect, it } from 'vitest'
 import {
+  buildCatalogAddCommit,
   buildCatalogResponse,
   validateCatalogAddBody,
-  buildCatalogAddCommit,
 } from '../catalog-helpers'
 
 // ---------------------------------------------------------------------------
@@ -31,7 +31,7 @@ describe('buildCatalogResponse', () => {
   })
 
   it('includes hero, features, cta', () => {
-    const names = buildCatalogResponse().map(t => t.name)
+    const names = buildCatalogResponse().map((t) => t.name)
     expect(names).toContain('hero')
     expect(names).toContain('features')
     expect(names).toContain('cta')
@@ -62,7 +62,9 @@ describe('validateCatalogAddBody', () => {
   })
 
   it('accepts body with sectionKey override', () => {
-    expect(() => validateCatalogAddBody({ templateName: 'hero', pageKey: 'index', sectionKey: 'hero--top' })).not.toThrow()
+    expect(() =>
+      validateCatalogAddBody({ templateName: 'hero', pageKey: 'index', sectionKey: 'hero--top' }),
+    ).not.toThrow()
   })
 
   it('throws when templateName is missing', () => {
@@ -74,7 +76,9 @@ describe('validateCatalogAddBody', () => {
   })
 
   it('throws when templateName is not in registry', () => {
-    expect(() => validateCatalogAddBody({ templateName: 'nonexistent-xyz', pageKey: 'index' })).toThrow()
+    expect(() =>
+      validateCatalogAddBody({ templateName: 'nonexistent-xyz', pageKey: 'index' }),
+    ).toThrow()
   })
 })
 
@@ -109,7 +113,11 @@ describe('buildCatalogAddCommit', () => {
   })
 
   it('pageConfigPath matches the pageKey', () => {
-    const result = buildCatalogAddCommit({ ...opts, pageKey: 'about', pageConfigPath: 'content/pages/_about.json' })
+    const result = buildCatalogAddCommit({
+      ...opts,
+      pageKey: 'about',
+      pageConfigPath: 'content/pages/_about.json',
+    })
     expect(result.pageConfigPath).toBe('content/pages/_about.json')
   })
 })

package/src/api-routes/__tests__/commit-trailers.test.ts

@@ -3,8 +3,8 @@
  * @vitest-environment node
  */
 
-import { describe, it, expect } from 'vitest'
-import { withTrailers, SETZKASTEN_CO_AUTHOR } from '../_commit-trailers'
+import { describe, expect, it } from 'vitest'
+import { SETZKASTEN_CO_AUTHOR, withTrailers } from '../_commit-trailers'
 
 describe('SETZKASTEN_CO_AUTHOR', () => {
   it('is a valid Co-authored-by trailer', () => {
@@ -28,20 +28,20 @@ describe('withTrailers', () => {
 
   it('does not add editor trailer when editorEmail is not provided', () => {
     const result = withTrailers('chore: something')
-    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    const lines = result.split('\n').filter((l) => l.startsWith('Co-authored-by:'))
     expect(lines).toHaveLength(1)
     expect(lines[0]).toBe(SETZKASTEN_CO_AUTHOR)
   })
 
   it('does not add editor trailer when editorEmail is null', () => {
     const result = withTrailers('chore: something', null)
-    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    const lines = result.split('\n').filter((l) => l.startsWith('Co-authored-by:'))
     expect(lines).toHaveLength(1)
   })
 
   it('adds editor Co-authored-by when editorEmail is provided', () => {
     const result = withTrailers('content: update', 'jane.doe@example.com')
-    const lines = result.split('\n').filter(l => l.startsWith('Co-authored-by:'))
+    const lines = result.split('\n').filter((l) => l.startsWith('Co-authored-by:'))
     expect(lines).toHaveLength(2)
     expect(lines[1]).toContain('jane.doe@example.com')
   })