@a83/orbiter-admin 0.2.0

package/public/theme.js

@@ -0,0 +1,63 @@
+/**
+ * Orbiter theme engine — runs inline in <head> before first paint.
+ * Manages: palette (space/zen/catppuccin) × scheme (dark/light/auto).
+ */
+
+// ── Console easter egg ──────────────────────────────────────────────
+(function () {
+  var a = 'color:#1898f8;font-size:18px;font-weight:600;letter-spacing:6px;font-family:monospace';
+  var b = 'color:#00c8a0;font-size:11px;font-family:monospace;line-height:1.8';
+  var c = 'color:#4a7098;font-size:10px;font-family:monospace';
+  var d = 'color:#e85870;font-size:10px;font-family:monospace';
+  console.log('%c⊙ ORBITER', a);
+  console.log('%cStandalone Admin — Content Management System\ngithub.com/aeon022/orbiter · MIT License', b);
+  console.log('%c─────────────────────────────────────────────', c);
+  console.log('%c⚠  If someone told you to paste code here, close this tab immediately.', d);
+})();
+(function () {
+  var theme  = localStorage.getItem('orb_theme')  || 'space';
+  var scheme = localStorage.getItem('orb_scheme') || 'auto';
+  var style  = localStorage.getItem('orb_style')  || 'glass';
+
+  var root = document.documentElement;
+  if (theme !== 'space') root.setAttribute('data-theme', theme);
+  if (scheme === 'dark')  root.setAttribute('data-scheme', 'dark');
+  if (scheme === 'light') root.setAttribute('data-scheme', 'light');
+  if (style === 'glass')  root.setAttribute('data-style', 'glass');
+
+  // Wire up toggle button once DOM is ready
+  document.addEventListener('DOMContentLoaded', function () {
+    var btn = document.getElementById('scheme-toggle');
+    if (!btn) return;
+
+    function updateBtn() {
+      var s = localStorage.getItem('orb_scheme') || 'auto';
+      if (s === 'auto') {
+        var prefersDark = window.matchMedia('(prefers-color-scheme: dark)').matches;
+        btn.textContent = prefersDark ? '◐' : '◑';
+        btn.title = 'Auto (' + (prefersDark ? 'dark' : 'light') + ') — click to override';
+      } else if (s === 'dark') {
+        btn.textContent = '●';
+        btn.title = 'Dark — click for light';
+      } else {
+        btn.textContent = '○';
+        btn.title = 'Light — click for auto';
+      }
+    }
+
+    btn.addEventListener('click', function () {
+      var s = localStorage.getItem('orb_scheme') || 'auto';
+      var next = s === 'auto' ? 'dark' : s === 'dark' ? 'light' : 'auto';
+      localStorage.setItem('orb_scheme', next);
+      var root = document.documentElement;
+      root.removeAttribute('data-scheme');
+      if (next === 'dark')  root.setAttribute('data-scheme', 'dark');
+      if (next === 'light') root.setAttribute('data-scheme', 'light');
+      updateBtn();
+    });
+
+    // React to system changes when in auto mode
+    window.matchMedia('(prefers-color-scheme: dark)').addEventListener('change', updateBtn);
+    updateBtn();
+  });
+})();

package/public/users.html

@@ -0,0 +1,192 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <link rel="icon" href="/favicon.svg" type="image/svg+xml">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Orbiter Admin — Users</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500&family=Space+Grotesk:wght@300;400;500;600&family=Noto+Serif+JP:wght@200;300&family=DM+Mono:wght@300;400&display=swap" rel="stylesheet">
+  <link rel="stylesheet" href="/style.css" />
+  <script src="/theme.js"></script>
+  <style>
+    .user-table { border:1px solid var(--line); border-radius:var(--radius); overflow:hidden; margin-bottom:28px; }
+    .user-head { display:grid; grid-template-columns:1fr 90px 160px 80px; padding:7px 16px; background:var(--bg2); border-bottom:1px solid var(--line); }
+    .user-head-cell { font-size:9px; letter-spacing:0.2em; text-transform:uppercase; color:var(--muted); }
+    .user-row { display:grid; grid-template-columns:1fr 90px 160px 80px; align-items:center; padding:12px 16px; border-bottom:1px solid var(--line2); background:var(--bg1); }
+    .user-row:last-child { border-bottom:none; }
+    .user-row.is-self { background:var(--accent-bg); }
+    .user-name { font-size:12px; color:var(--text); display:flex; align-items:center; gap:8px; }
+    .self-tag { font-size:9px; color:var(--accent); background:var(--accent-bg); border:1px solid rgba(90,122,240,.2); padding:1px 6px; border-radius:2px; }
+    .role-badge { font-size:9px; padding:2px 8px; letter-spacing:0.06em; border-radius:2px; }
+    .role-badge.admin  { color:var(--gold);  background:var(--gold-bg);  border:1px solid rgba(200,168,107,.2); }
+    .role-badge.editor { color:var(--muted); background:var(--bg3);      border:1px solid var(--line); }
+    .user-date { font-size:11px; color:var(--mid); }
+    .btn-del { padding:3px 10px; background:transparent; border:1px solid var(--line); color:var(--muted); font-family:var(--mono); font-size:9px; cursor:pointer; transition:all .12s; border-radius:2px; }
+    .btn-del:hover:not(:disabled) { border-color:var(--red); color:var(--red); background:rgba(139,38,53,.04); }
+    .btn-del:disabled { opacity:.3; cursor:default; }
+
+    .add-group { background:var(--bg2); border:1px solid var(--line); border-radius:var(--radius); }
+    .group-header { padding:10px 20px; border-bottom:1px solid var(--line); font-size:9px; letter-spacing:0.28em; text-transform:uppercase; color:var(--muted); display:flex; align-items:center; gap:8px; }
+    .group-header::before { content:"—"; color:var(--gold); }
+    .add-row { display:grid; grid-template-columns:1fr 1fr 120px; gap:12px; padding:16px 20px; align-items:end; }
+    .add-field { display:flex; flex-direction:column; gap:5px; }
+    .add-label { font-size:9px; letter-spacing:0.14em; text-transform:uppercase; color:var(--muted); }
+    .banner { padding:8px 16px; font-size:10px; display:flex; align-items:center; gap:6px; border-radius:var(--radius); margin-bottom:14px; }
+    .banner-ok  { background:var(--jade-bg); color:var(--jade); border:1px solid rgba(45,139,106,.2); }
+    .banner-ok::before { content:"✓"; }
+    .banner-err { background:rgba(139,38,53,.07); color:var(--red); border:1px solid rgba(139,38,53,.15); }
+    .banner-err::before { content:"✕"; }
+  </style>
+</head>
+<body>
+  <div class="app">
+    <header class="topbar">
+      <a class="logo" href="/dashboard.html"><div class="logo-mark">OR</div>Orbiter</a>
+      <div class="topbar-right">
+        <button class="search-trigger" id="search-btn" title="Search (⌘K)">
+          <svg width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="11" cy="11" r="8"/><path d="m21 21-4.35-4.35"/></svg>
+          Search <kbd>⌘K</kbd>
+        </button>
+        <button class="scheme-toggle" id="scheme-toggle" title="Toggle scheme">◐</button>
+        <span class="user" id="topbar-user"></span>
+        <span class="logout" id="logout-btn">Sign out</span>
+      </div>
+    </header>
+    <nav class="sidebar">
+      <div class="nav-section">Content</div>
+      <a class="nav-item" href="/dashboard.html"><span class="nav-icon">◈</span>Dashboard</a>
+      <a class="nav-item" href="/collections.html"><span class="nav-icon">⊞</span>Collections</a>
+      <div class="nav-section">Assets</div>
+      <a class="nav-item" href="/media.html"><span class="nav-icon">⊟</span>Media</a>
+      <div class="nav-section">System</div>
+      <a class="nav-item" href="/schema.html"><span class="nav-icon">◈</span>Schema</a>
+      <a class="nav-item" href="/build.html"><span class="nav-icon">▲</span>Build</a>
+      <a class="nav-item" href="/settings.html"><span class="nav-icon">◎</span>Settings</a>
+      <a class="nav-item active admin-only" href="/users.html" style="display:none"><span class="nav-icon">◉</span>Users</a>
+      <div class="sidebar-footer">
+        <div class="pod-name" id="pod-name">content.pod</div>
+        <div class="pod-info" id="pod-info"></div>
+        <div class="pod-status"><span class="pod-dot"></span>pod synced</div>
+      </div>
+    </nav>
+    <main class="main">
+      <div class="page-header">
+        <h1 class="page-title">Users</h1>
+        <p class="page-sub" id="user-count"></p>
+      </div>
+      <div id="banner" class="banner" style="display:none"></div>
+      <div id="content"><div class="empty"><div class="spinner"></div></div></div>
+    
+  <script type="module">
+    const me = await fetch('/api/auth/me',{credentials:'include'}).then(r=>r.json()).catch(()=>null);
+    if (!me?.user) { location.replace('/login.html'); }
+    if (me.user.role !== 'admin') { location.replace('/dashboard.html'); }
+    document.getElementById('topbar-user').textContent = me.user.username;
+    document.querySelectorAll('.admin-only').forEach(el=>el.style.display='');
+    document.getElementById('logout-btn').addEventListener('click',async()=>{
+      await fetch('/api/auth/logout',{method:'POST',credentials:'include'});
+      location.replace('/login.html');
+    });
+
+    function showBanner(cls, text) {
+      const el = document.getElementById('banner');
+      el.className = 'banner ' + cls;
+      el.textContent = text;
+      el.style.display = '';
+      setTimeout(()=>el.style.display='none', 3000);
+    }
+
+    async function loadUsers() {
+      const users = await fetch('/api/users',{credentials:'include'}).then(r=>r.json()).catch(()=>[]);
+      document.getElementById('user-count').textContent = `${users.length} user${users.length!==1?'s':''}`;
+
+      const wrap = document.getElementById('content');
+      if (!users.length) {
+        wrap.innerHTML = '<div class="empty"><div class="empty-icon">◉</div>No users yet</div>';
+        return;
+      }
+      wrap.innerHTML = `
+        <div class="user-table">
+          <div class="user-head">
+            <div class="user-head-cell">Username</div>
+            <div class="user-head-cell">Role</div>
+            <div class="user-head-cell">Last login</div>
+            <div class="user-head-cell"></div>
+          </div>
+          ${users.map(u=>`
+            <div class="user-row ${u.id===me.user.id?'is-self':''}">
+              <div class="user-name">${u.username}${u.id===me.user.id?'<span class="self-tag">you</span>':''}</div>
+              <div><span class="role-badge ${u.role}">${u.role}</span></div>
+              <div class="user-date">${u.last_login ? new Date(u.last_login).toLocaleDateString() : '—'}</div>
+              <div>
+                <button class="btn-del" data-id="${u.id}" ${u.id===me.user.id?'disabled':''}>Delete</button>
+              </div>
+            </div>
+          `).join('')}
+        </div>
+        ${addForm()}
+      `;
+      attachAddForm();
+      wrap.querySelectorAll('.btn-del').forEach(btn=>btn.addEventListener('click', async ()=>{
+        if (!confirm('Delete this user?')) return;
+        const res = await fetch(`/api/users/${btn.dataset.id}`,{method:'DELETE',credentials:'include'});
+        if (res.ok) { showBanner('banner-ok ✓ User deleted'); loadUsers(); }
+        else showBanner('banner-err', '✕ Could not delete user');
+      }));
+    }
+
+    function addForm() {
+      return `
+        <div class="add-group">
+          <div class="group-header">Add user</div>
+          <form id="add-user-form">
+            <div class="add-row">
+              <div class="add-field">
+                <label class="add-label">Username</label>
+                <input class="input" type="text" name="username" autocomplete="off" required placeholder="username" />
+              </div>
+              <div class="add-field">
+                <label class="add-label">Password — min 8 chars</label>
+                <input class="input" type="password" name="password" autocomplete="new-password" required minlength="8" />
+              </div>
+              <div class="add-field">
+                <label class="add-label">Role</label>
+                <select class="input" name="role">
+                  <option value="editor">editor</option>
+                  <option value="admin">admin</option>
+                </select>
+              </div>
+            </div>
+            <div style="padding:0 20px 16px;display:flex;justify-content:flex-end;">
+              <button type="submit" class="btn btn-primary">+ Add user</button>
+            </div>
+          </form>
+        </div>
+      `;
+    }
+
+    function attachAddForm() {
+      document.getElementById('add-user-form').addEventListener('submit', async e=>{
+        e.preventDefault();
+        const fd = new FormData(e.target);
+        const res = await fetch('/api/users',{
+          method:'POST', credentials:'include',
+          headers:{'Content-Type':'application/json'},
+          body: JSON.stringify({ username: fd.get('username'), password: fd.get('password'), role: fd.get('role') }),
+        });
+        const json = await res.json();
+        if (res.ok) { showBanner('banner-ok','✓ User created'); e.target.reset(); loadUsers(); }
+        else showBanner('banner-err','✕ ' + (json.error ?? 'Failed'));
+      });
+    }
+
+    loadUsers();
+  </script>
+</main>
+  </div>
+  <script src="/search.js"></script>
+  <script src="/sidebar.js"></script>
+  <script src="/router.js"></script>
+</body>
+</html>

package/src/index.js

@@ -0,0 +1,4 @@
+// @a83/orbiter-admin
+// Phase 2 — Admin UI
+// Placeholder for now. Coming in Bridge phase.
+export const VERSION = '0.0.1';

package/src/middleware/auth.js

@@ -0,0 +1,20 @@
+import { getCookie } from 'hono/cookie';
+import { openPod } from '@a83/orbiter-core';
+
+export const requireAuth = async (c, next) => {
+  const token = getCookie(c, 'orb_sess') ?? '';
+  const db    = openPod(c.get('podPath'));
+  const user  = db.checkSession(token);
+  db.close();
+
+  if (!user) return c.json({ error: 'Unauthorized' }, 401);
+
+  c.set('user', user);
+  await next();
+};
+
+export const requireAdmin = async (c, next) => {
+  const user = c.get('user');
+  if (user?.role !== 'admin') return c.json({ error: 'Forbidden' }, 403);
+  await next();
+};

package/src/routes/account.js

@@ -0,0 +1,41 @@
+import { Hono } from 'hono';
+import { openPod, verifyPassword, hashPassword } from '@a83/orbiter-core';
+
+export const accountRoutes = new Hono();
+
+// PUT /api/account/password
+accountRoutes.put('/password', async (c) => {
+  const user = c.get('user');
+  const { currentPassword, newPassword } = await c.req.json();
+  if (!currentPassword || !newPassword) return c.json({ error: 'Missing fields' }, 400);
+  if (newPassword.length < 8) return c.json({ error: 'Password must be at least 8 characters' }, 400);
+
+  const db   = openPod(c.get('podPath'));
+  const full = db.getUserByUsername(user.username);
+  const ok   = await verifyPassword(currentPassword, full.password);
+  if (!ok) { db.close(); return c.json({ error: 'Current password is incorrect' }, 401); }
+
+  const hash = await hashPassword(newPassword);
+  db.db.prepare('UPDATE _users SET password = ? WHERE id = ?').run(hash, user.id);
+  db.close();
+  return c.json({ ok: true });
+});
+
+// PUT /api/account/username
+accountRoutes.put('/username', async (c) => {
+  const user = c.get('user');
+  const { newUsername, currentPassword } = await c.req.json();
+  if (!newUsername || !currentPassword) return c.json({ error: 'Missing fields' }, 400);
+
+  const db   = openPod(c.get('podPath'));
+  const full = db.getUserByUsername(user.username);
+  const ok   = await verifyPassword(currentPassword, full.password);
+  if (!ok) { db.close(); return c.json({ error: 'Current password is incorrect' }, 401); }
+
+  const taken = db.db.prepare('SELECT id FROM _users WHERE username = ? AND id != ?').get(newUsername, user.id);
+  if (taken) { db.close(); return c.json({ error: 'Username already taken' }, 409); }
+
+  db.db.prepare('UPDATE _users SET username = ? WHERE id = ?').run(newUsername, user.id);
+  db.close();
+  return c.json({ ok: true });
+});

package/src/routes/auth.js

@@ -0,0 +1,55 @@
+import { Hono } from 'hono';
+import { getCookie, setCookie, deleteCookie } from 'hono/cookie';
+import { openPod, verifyPassword, generateToken } from '@a83/orbiter-core';
+
+export const authRoutes = new Hono();
+
+// POST /api/auth/login
+authRoutes.post('/login', async (c) => {
+  const { username, password } = await c.req.json();
+  if (!username || !password) return c.json({ error: 'Missing credentials' }, 400);
+
+  const db   = openPod(c.get('podPath'));
+  const user = db.getUserByUsername(username);
+  if (!user || !(await verifyPassword(password, user.password))) {
+    db.close();
+    return c.json({ error: 'Invalid username or password' }, 401);
+  }
+
+  const token     = generateToken();
+  const expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000)
+    .toISOString().replace('T', ' ').replace(/\.\d{3}Z$/, '');
+  db.createSession(user.id, token, expiresAt);
+  db.close();
+
+  setCookie(c, 'orb_sess', token, {
+    httpOnly: true,
+    sameSite: 'Lax',
+    path: '/',
+    maxAge: 30 * 24 * 60 * 60,
+  });
+
+  return c.json({ ok: true, user: { id: user.id, username: user.username, role: user.role } });
+});
+
+// POST /api/auth/logout
+authRoutes.post('/logout', (c) => {
+  const token = getCookie(c, 'orb_sess') ?? '';
+  if (token) {
+    const db = openPod(c.get('podPath'));
+    db.deleteSession(token);
+    db.close();
+  }
+  deleteCookie(c, 'orb_sess');
+  return c.json({ ok: true });
+});
+
+// GET /api/auth/me
+authRoutes.get('/me', (c) => {
+  const token = getCookie(c, 'orb_sess') ?? '';
+  const db    = openPod(c.get('podPath'));
+  const user  = db.checkSession(token);
+  db.close();
+  if (!user) return c.json({ error: 'Unauthorized' }, 401);
+  return c.json({ user });
+});

package/src/routes/build.js

@@ -0,0 +1,25 @@
+import { Hono } from 'hono';
+import { openPod } from '@a83/orbiter-core';
+
+export const buildRoutes = new Hono();
+
+// POST /api/build/trigger
+buildRoutes.post('/trigger', async (c) => {
+  const db  = openPod(c.get('podPath'));
+  const url = db.getMeta('build.webhook_url') ?? '';
+  db.close();
+  if (!url) return c.json({ error: 'No webhook URL configured' }, 400);
+
+  const res = await fetch(url, { method: 'POST' }).catch(e => ({ ok: false, status: 0, err: e.message }));
+  if (!res.ok) return c.json({ error: `Webhook returned ${res.status}` }, 502);
+  return c.json({ ok: true });
+});
+
+// GET /api/build/status
+buildRoutes.get('/status', (c) => {
+  const db     = openPod(c.get('podPath'));
+  const webhook = db.getMeta('build.webhook_url') ?? '';
+  const last   = db.getMeta('build.last_triggered') ?? null;
+  db.close();
+  return c.json({ configured: !!webhook, lastTriggered: last });
+});

package/src/routes/collections.js

@@ -0,0 +1,65 @@
+import { Hono } from 'hono';
+import { openPod } from '@a83/orbiter-core';
+import { requireAdmin } from '../middleware/auth.js';
+
+export const collectionRoutes = new Hono();
+
+// GET /api/collections
+collectionRoutes.get('/', (c) => {
+  const db   = openPod(c.get('podPath'));
+  const cols = db.getCollections().map(col => ({
+    ...col,
+    schema: col.schema ? JSON.parse(col.schema) : {},
+    total:  db.getEntries(col.id).length,
+  }));
+  db.close();
+  return c.json(cols);
+});
+
+// GET /api/collections/:id
+collectionRoutes.get('/:id', (c) => {
+  const db  = openPod(c.get('podPath'));
+  const col = db.getCollection(c.req.param('id'));
+  db.close();
+  if (!col) return c.json({ error: 'Not found' }, 404);
+  return c.json({ ...col, schema: col.schema ? JSON.parse(col.schema) : {} });
+});
+
+// POST /api/collections  (admin only)
+collectionRoutes.post('/', requireAdmin, async (c) => {
+  const { id, label, schema = {} } = await c.req.json();
+  if (!id || !label) return c.json({ error: 'id and label are required' }, 400);
+
+  const safeId = id.toLowerCase().replace(/[^a-z0-9_]/g, '_').replace(/^_+|_+$/g, '');
+  const db     = openPod(c.get('podPath'));
+  if (db.getCollection(safeId)) {
+    db.close();
+    return c.json({ error: `Collection "${safeId}" already exists` }, 409);
+  }
+  db.createCollection(safeId, label, schema);
+  const created = db.getCollection(safeId);
+  db.close();
+  return c.json({ ...created, schema }, 201);
+});
+
+// PUT /api/collections/:id  (admin only)
+collectionRoutes.put('/:id', requireAdmin, async (c) => {
+  const { label, schema } = await c.req.json();
+  const db  = openPod(c.get('podPath'));
+  const col = db.getCollection(c.req.param('id'));
+  if (!col) { db.close(); return c.json({ error: 'Not found' }, 404); }
+  db.updateCollection(col.id, label ?? col.label, schema ?? JSON.parse(col.schema ?? '{}'));
+  const updated = db.getCollection(col.id);
+  db.close();
+  return c.json({ ...updated, schema: updated.schema ? JSON.parse(updated.schema) : {} });
+});
+
+// DELETE /api/collections/:id  (admin only)
+collectionRoutes.delete('/:id', requireAdmin, (c) => {
+  const db  = openPod(c.get('podPath'));
+  const col = db.getCollection(c.req.param('id'));
+  if (!col) { db.close(); return c.json({ error: 'Not found' }, 404); }
+  db.deleteCollection(col.id);
+  db.close();
+  return c.json({ ok: true });
+});

package/src/routes/entries.js

@@ -0,0 +1,103 @@
+import { Hono } from 'hono';
+import { openPod } from '@a83/orbiter-core';
+
+export const entryRoutes = new Hono();
+
+// GET /api/collections/:id/entries?status=draft|published
+entryRoutes.get('/:collectionId/entries', (c) => {
+  const { collectionId } = c.req.param();
+  const status  = c.req.query('status') || undefined;
+  const db      = openPod(c.get('podPath'));
+  if (!db.getCollection(collectionId)) { db.close(); return c.json({ error: 'Collection not found' }, 404); }
+  const entries = db.getEntries(collectionId, { status });
+  db.close();
+  return c.json(entries);
+});
+
+// GET /api/collections/:id/entries/:slug
+entryRoutes.get('/:collectionId/entries/:slug', (c) => {
+  const { collectionId, slug } = c.req.param();
+  const db    = openPod(c.get('podPath'));
+  const entry = db.getEntry(collectionId, slug);
+  db.close();
+  if (!entry) return c.json({ error: 'Not found' }, 404);
+  return c.json(entry);
+});
+
+// POST /api/collections/:id/entries
+entryRoutes.post('/:collectionId/entries', async (c) => {
+  const { collectionId } = c.req.param();
+  const { slug, data = {}, status = 'draft' } = await c.req.json();
+  if (!slug) return c.json({ error: 'slug is required' }, 400);
+
+  const db = openPod(c.get('podPath'));
+  if (!db.getCollection(collectionId)) { db.close(); return c.json({ error: 'Collection not found' }, 404); }
+  if (db.getEntry(collectionId, slug)) { db.close(); return c.json({ error: `Entry "${slug}" already exists` }, 409); }
+
+  const id    = db.createEntry(collectionId, slug, data, status);
+  const entry = db.getEntry(collectionId, slug);
+  db.close();
+  return c.json({ ...entry, id }, 201);
+});
+
+// PUT /api/collections/:id/entries/:slug
+entryRoutes.put('/:collectionId/entries/:slug', async (c) => {
+  const { collectionId, slug } = c.req.param();
+  const body = await c.req.json();
+
+  const db = openPod(c.get('podPath'));
+  const ok = db.updateEntry(collectionId, slug, body);
+  if (!ok) { db.close(); return c.json({ error: 'Not found' }, 404); }
+  const updated = db.getEntry(collectionId, body.slug ?? slug);
+  db.close();
+  return c.json(updated);
+});
+
+// DELETE /api/collections/:id/entries/:slug
+entryRoutes.delete('/:collectionId/entries/:slug', (c) => {
+  const { collectionId, slug } = c.req.param();
+  const db = openPod(c.get('podPath'));
+  const ok = db.deleteEntry(collectionId, slug);
+  db.close();
+  if (!ok) return c.json({ error: 'Not found' }, 404);
+  return c.json({ ok: true });
+});
+
+// GET /api/collections/:id/entries/:slug/versions
+entryRoutes.get('/:collectionId/entries/:slug/versions', (c) => {
+  const { collectionId, slug } = c.req.param();
+  const db    = openPod(c.get('podPath'));
+  const entry = db.getEntry(collectionId, slug);
+  if (!entry) { db.close(); return c.json({ error: 'Not found' }, 404); }
+  const versions = db.db
+    .prepare('SELECT id, created_at FROM _versions WHERE entry_id = ? ORDER BY created_at DESC LIMIT 20')
+    .all(entry.id);
+  db.close();
+  return c.json(versions);
+});
+
+// POST /api/collections/:id/entries/:slug/duplicate
+entryRoutes.post('/:collectionId/entries/:slug/duplicate', (c) => {
+  const { collectionId, slug } = c.req.param();
+  const db    = openPod(c.get('podPath'));
+  const entry = db.getEntry(collectionId, slug);
+  if (!entry) { db.close(); return c.json({ error: 'Not found' }, 404); }
+  const newSlug = slug + '-copy';
+  db.createEntry(collectionId, newSlug, entry.data, 'draft');
+  const created = db.getEntry(collectionId, newSlug);
+  db.close();
+  return c.json(created, 201);
+});
+
+// PATCH /api/collections/:id/entries/:slug/status
+entryRoutes.patch('/:collectionId/entries/:slug/status', async (c) => {
+  const { collectionId, slug } = c.req.param();
+  const { status } = await c.req.json();
+  if (!['draft', 'published'].includes(status)) return c.json({ error: 'Invalid status' }, 400);
+  const db    = openPod(c.get('podPath'));
+  const entry = db.getEntry(collectionId, slug);
+  if (!entry) { db.close(); return c.json({ error: 'Not found' }, 404); }
+  db.updateEntry(collectionId, slug, { slug, data: entry.data, status });
+  db.close();
+  return c.json({ ok: true });
+});