@aion0/forge 0.8.1 → 0.8.2

package/RELEASE_NOTES.md

@@ -1,12 +1,31 @@
-# Forge v0.8.1
+# Forge v0.8.2
 
-Released: 2026-05-19
+Released: 2026-05-20
 
-## Changes since v0.8.0
+## Changes since v0.8.1
 
 ### Other
-- feat(monitor): show Chat Server + Browser Bridge in Monitor panel
-- fix(chat): use relative imports in chat-standalone graph
+- feat(skills): local skill upload (.md / .zip), parallel to connector install-local
+- fix(pipeline): auto-sync gitlab connector PAT into glab auth + env
+- feat(jobs): Job.skills + thread through to claude --append-system-prompt
+- fix(connectors): friendlier error when browser-probe handler missing
+- fix(pipeline): allow retry on running nodes + reap orphans on boot
+- feat(connectors): browser-side test probe via extension bridge
+- feat(connectors): manifest-driven Test button
+- docs(connectors): 21-build-connector.md + AI routing for authoring
+- feat(connectors): Upload button + drag-and-drop in marketplace
+- feat(connectors): install-local API — accept YAML or zip
+- refactor(connectors): move marketplace from Settings to SkillsPanel tab
+- fix(connectors): surface fetch root cause + show installed in marketplace
+- docs(connectors): rewrite 17-connectors.md for marketplace model
+- feat(connectors): drop builtin yamls + purge connector code from plugin/
+- feat(connectors): one-shot migration from plugin-configs.json
+- feat(connectors): Settings Marketplace panel
+- feat(connectors): marketplace API /api/connectors/marketplace
+- feat(connectors): route /api/connectors + chat through new registry
+- feat(connectors): sync — pull registry + manifests from forge-connectors
+- feat(connectors): registry — load manifests from <dataDir>/connectors/
+- feat(connectors): extract independent types in lib/connectors/
 
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.8.0...v0.8.1
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.8.1...v0.8.2

package/app/api/connectors/[id]/settings/route.ts

@@ -1,28 +1,31 @@
 /**
- * Per-user settings for a connector plugin.
+ * Per-user settings for an installed connector.
  *
- * Browser-side connectors don't have a Forge-side executor, so "install" is
- * really just "save your host URL + preferences". We map connector `settings`
- * onto the existing plugin config storage to avoid a second store.
+ * GET  → masked settings + schema + installed flag
+ * POST → save settings (preserves stored secrets if client returns
+ *        the bullet placeholder unchanged)
+ *
+ * Secrets (fields with type === 'secret') are encrypted at rest by
+ * lib/connectors/registry.ts (AES-256-GCM via lib/crypto.ts) and
+ * masked here so the plaintext never crosses the wire on GET.
  */
 
 import { NextResponse } from 'next/server';
 import {
-  getPlugin,
-  getInstalledPlugin,
-  installPlugin,
-  updatePluginConfig,
-  getConnectorsForPlugin,
-} from '@/lib/plugins/registry';
-import type { PluginFieldSchema } from '@/lib/plugins/types';
+  getConnector,
+  getInstalledConnector,
+  setConnectorConfig,
+} from '@/lib/connectors/registry';
+import type { ConnectorFieldSchema } from '@/lib/connectors/types';
 
-function settingsSchemaFor(id: string): Record<string, PluginFieldSchema> {
-  const def = getPlugin(id);
+function settingsSchemaFor(id: string): Record<string, ConnectorFieldSchema> {
+  const def = getConnector(id);
   if (!def) return {};
-  // For 1:N suites, merge settings across all entries (caller can scope by entry id).
-  const merged: Record<string, PluginFieldSchema> = {};
-  for (const c of getConnectorsForPlugin(def)) {
-    if (c.settings) Object.assign(merged, c.settings);
+  const merged: Record<string, ConnectorFieldSchema> = {};
+  if (def.settings) Object.assign(merged, def.settings);
+  // 1:N suites: union of each entry's settings
+  for (const entry of def.connectors || []) {
+    if (entry.settings) Object.assign(merged, entry.settings);
   }
   return merged;
 }
@@ -38,12 +41,12 @@ function defaultsFor(id: string): Record<string, any> {
 
 const SECRET_MASK = '••••••••';
 
-function isSecretField(schema: PluginFieldSchema | undefined): boolean {
+function isSecretField(schema: ConnectorFieldSchema | undefined): boolean {
   if (!schema) return false;
   return schema.type === 'secret' || (schema.type as string) === 'password';
 }
 
-function maskSecrets(settings: Record<string, any>, schema: Record<string, PluginFieldSchema>): Record<string, any> {
+function maskSecrets(settings: Record<string, any>, schema: Record<string, ConnectorFieldSchema>): Record<string, any> {
   const out: Record<string, any> = { ...settings };
   for (const [k, v] of Object.entries(schema)) {
     if (isSecretField(v) && typeof out[k] === 'string' && out[k]) {
@@ -56,7 +59,7 @@ function maskSecrets(settings: Record<string, any>, schema: Record<string, Plugi
 function restoreSecrets(
   incoming: Record<string, any>,
   existing: Record<string, any>,
-  schema: Record<string, PluginFieldSchema>,
+  schema: Record<string, ConnectorFieldSchema>,
 ): Record<string, any> {
   const out: Record<string, any> = { ...incoming };
   for (const [k, v] of Object.entries(schema)) {
@@ -70,11 +73,9 @@ function restoreSecrets(
 
 export async function GET(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params;
-  const def = getPlugin(id);
-  if (!def || def.category !== 'connector') {
-    return NextResponse.json({ error: 'connector not found' }, { status: 404 });
-  }
-  const inst = getInstalledPlugin(id);
+  const def = getConnector(id);
+  if (!def) return NextResponse.json({ error: 'connector not found' }, { status: 404 });
+  const inst = getInstalledConnector(id);
   const stored = inst?.config || {};
   const schema = settingsSchemaFor(id);
   const merged = { ...defaultsFor(id), ...stored };
@@ -87,10 +88,8 @@ export async function GET(req: Request, { params }: { params: Promise<{ id: stri
 
 export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params;
-  const def = getPlugin(id);
-  if (!def || def.category !== 'connector') {
-    return NextResponse.json({ error: 'connector not found' }, { status: 404 });
-  }
+  const def = getConnector(id);
+  if (!def) return NextResponse.json({ error: 'connector not found' }, { status: 404 });
 
   const body = await req.json().catch(() => ({}));
   const settings = body?.settings ?? body;
@@ -98,15 +97,10 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
     return NextResponse.json({ error: 'settings must be an object' }, { status: 400 });
   }
 
-  const existing = getInstalledPlugin(id);
+  const existing = getInstalledConnector(id);
   const schema = settingsSchemaFor(id);
   const merged = restoreSecrets(settings, existing?.config || {}, schema);
-  const ok = existing
-    ? updatePluginConfig(id, merged)
-    : installPlugin(id, merged);
-
-  if (!ok) {
-    return NextResponse.json({ error: 'failed to persist settings' }, { status: 500 });
-  }
+  const ok = setConnectorConfig(id, merged);
+  if (!ok) return NextResponse.json({ error: 'failed to persist settings' }, { status: 500 });
   return NextResponse.json({ ok: true, settings: maskSecrets(merged, schema) });
 }

package/app/api/connectors/[id]/test/route.ts

@@ -0,0 +1,260 @@
+/**
+ * POST /api/connectors/[id]/test
+ *
+ * Reachability probe for a connector. Runs the manifest's `test:`
+ * block (an HTTP request) against the user's saved settings, returns
+ * a structured result for the Settings → Connectors UI to render.
+ *
+ *   {
+ *     ok: true,
+ *     status: 200,
+ *     message: "Authenticated as zliu (Zhen Liu)",
+ *     duration_ms: 152
+ *   }
+ *
+ * On failure:
+ *
+ *   {
+ *     ok: false,
+ *     status: 401,
+ *     error: "Token was revoked. You have to re-authorize from the user.",
+ *     body_preview: "{...}"
+ *   }
+ *
+ * The probe is HTTP-only — connectors that need a different mechanism
+ * (browser DOM, shell exec) simply omit `test:` and the UI hides the
+ * button.
+ */
+
+import { NextResponse } from 'next/server';
+import {
+  getConnector,
+  getConnectorEntries,
+  getInstalledConnector,
+} from '@/lib/connectors/registry';
+import { expandSettingsTokens, expandAllTokens } from '@/lib/plugins/templates';
+import { bridgeRpc } from '@/lib/chat/bridge-client';
+import type { ConnectorDefinition, ConnectorTest, HttpRequestSpec } from '@/lib/connectors/types';
+
+const DEFAULT_TIMEOUT_MS = 15_000;
+const MAX_BODY_PREVIEW = 1024;
+
+function expandString(s: string, settings: Record<string, unknown>): string {
+  return expandAllTokens(s, settings as Record<string, any>, {});
+}
+
+function buildUrl(spec: HttpRequestSpec, settings: Record<string, unknown>): string {
+  let url = expandString(spec.url, settings);
+  if (spec.query) {
+    const u = new URL(url);
+    for (const [k, raw] of Object.entries(spec.query)) {
+      u.searchParams.set(k, expandString(String(raw), settings));
+    }
+    url = u.toString();
+  }
+  return url;
+}
+
+function buildHeaders(spec: HttpRequestSpec, settings: Record<string, unknown>): Headers {
+  const h = new Headers();
+  if (spec.headers) {
+    for (const [k, raw] of Object.entries(spec.headers)) {
+      h.set(k, expandString(String(raw), settings));
+    }
+  }
+  return h;
+}
+
+function buildBody(
+  spec: HttpRequestSpec,
+  settings: Record<string, unknown>,
+): { body?: string; contentType?: string } {
+  if (spec.body == null) return {};
+  if (typeof spec.body === 'string') {
+    return { body: expandString(spec.body, settings) };
+  }
+  const out: Record<string, unknown> = {};
+  for (const [k, v] of Object.entries(spec.body)) {
+    out[k] = typeof v === 'string' ? expandString(v, settings) : v;
+  }
+  return { body: JSON.stringify(out), contentType: 'application/json' };
+}
+
+/**
+ * Render `{{path.to.value}}` placeholders against a parsed JSON body.
+ * Missing paths render as "?", non-string scalars get stringified.
+ */
+function renderTemplate(template: string, body: unknown): string {
+  return template.replace(/\{\{([^{}]+)\}\}/g, (_match, expr) => {
+    const path = String(expr).trim().split('.').filter(Boolean);
+    let cur: any = body;
+    for (const p of path) {
+      if (cur && typeof cur === 'object' && p in cur) cur = cur[p];
+      else return '?';
+    }
+    if (cur == null) return '?';
+    return typeof cur === 'string' ? cur : JSON.stringify(cur);
+  });
+}
+
+interface TestResult {
+  ok: boolean;
+  status?: number;
+  message?: string;
+  error?: string;
+  duration_ms?: number;
+  body_preview?: string;
+}
+
+async function runHttpProbe(test: ConnectorTest, settings: Record<string, unknown>): Promise<TestResult> {
+  const spec = test.request;
+  if (!spec?.url) return { ok: false, error: 'test.request.url is required for http probe' };
+
+  const method = (spec.method || 'GET').toUpperCase();
+  const url = buildUrl(spec, settings);
+  const headers = buildHeaders(spec, settings);
+  const { body, contentType } = buildBody(spec, settings);
+  if (body != null && contentType && !headers.has('content-type')) {
+    headers.set('content-type', contentType);
+  }
+
+  const timeoutMs = test.timeout_ms || DEFAULT_TIMEOUT_MS;
+  const okStatus = test.ok_status?.length ? test.ok_status : [200];
+
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), timeoutMs);
+  const t0 = Date.now();
+  let res: Response;
+  try {
+    res = await fetch(url, { method, headers, body, signal: ctrl.signal });
+  } catch (e) {
+    clearTimeout(timer);
+    const err = e as Error & { cause?: unknown };
+    const cause = err.cause instanceof Error ? `: ${err.cause.message}` : '';
+    return {
+      ok: false,
+      error: `request failed: ${err.message}${cause}`,
+      duration_ms: Date.now() - t0,
+    };
+  }
+  clearTimeout(timer);
+
+  const duration = Date.now() - t0;
+  const text = await res.text().catch(() => '');
+  const preview = text.length > MAX_BODY_PREVIEW ? text.slice(0, MAX_BODY_PREVIEW) + '…' : text;
+
+  if (!okStatus.includes(res.status)) {
+    let errMsg = `HTTP ${res.status} ${res.statusText}`;
+    try {
+      const j = JSON.parse(text);
+      if (typeof j?.error === 'string') errMsg += `: ${j.error}`;
+      else if (typeof j?.message === 'string') errMsg += `: ${j.message}`;
+      else if (typeof j?.error_description === 'string') errMsg += `: ${j.error_description}`;
+    } catch {}
+    return {
+      ok: false,
+      status: res.status,
+      error: errMsg,
+      duration_ms: duration,
+      body_preview: preview,
+    };
+  }
+
+  let parsedBody: unknown = null;
+  try { parsedBody = JSON.parse(text); } catch {}
+  const message = test.ok_template
+    ? renderTemplate(test.ok_template, parsedBody)
+    : `OK (HTTP ${res.status})`;
+  return {
+    ok: true,
+    status: res.status,
+    message,
+    duration_ms: duration,
+  };
+}
+
+/**
+ * Browser probe: ask the paired extension to land on the connector's
+ * host_match URL and report whether `login_redirect` was hit.
+ *
+ * The extension implements `connector.probe` (see
+ * lib/help-docs/21-build-connector.md for the wire contract). On
+ * sites the user is logged in to, it returns
+ *   { ok: true, url: '<final tab URL>' }
+ * On a redirect to the login page it returns
+ *   { ok: false, error: 'login required', url: '<login url>' }
+ * On extension absence we throw, caller surfaces it.
+ */
+async function runBrowserProbe(
+  def: ConnectorDefinition,
+  settings: Record<string, unknown>,
+): Promise<TestResult> {
+  const entries = getConnectorEntries(def);
+  const entry = entries[0];
+  const hostMatch = def.host_match || entry?.host_match;
+  const loginRedirect = def.login_redirect || entry?.login_redirect;
+  if (!hostMatch) {
+    return { ok: false, error: 'browser probe requires host_match on the manifest' };
+  }
+  const expandedHost = expandSettingsTokens(hostMatch, settings as any);
+  const expandedLoginRedirect = loginRedirect
+    ? expandSettingsTokens(loginRedirect, settings as any)
+    : undefined;
+
+  const t0 = Date.now();
+  let value: unknown;
+  try {
+    value = await bridgeRpc('connector.probe', {
+      pluginId: def.id,
+      host_match: expandedHost,
+      login_redirect: expandedLoginRedirect,
+      runner: def.runner || entry?.runner || 'main',
+      timeout_ms: def.test?.timeout_ms || 30_000,
+    });
+  } catch (e) {
+    const raw = (e as Error).message || String(e);
+    let friendly = raw;
+    if (raw.includes('unknown method: connector.probe')) {
+      friendly =
+        'Your Forge browser extension is out of date — it doesn\'t know how to run browser probes yet. ' +
+        'Rebuild the extension (pnpm ext in forge-browser-extension), then chrome://extensions → Reload, and try Test again.';
+    } else if (raw.includes('bridge') && raw.includes('unreachable')) {
+      friendly =
+        'Forge browser bridge is unreachable on port 8407. Restart Forge (forge server restart) or check that the browser-bridge standalone is running.';
+    } else if (raw.includes('no paired extensions') || raw.includes('no connected')) {
+      friendly =
+        'Forge browser extension not connected. Install the extension from forge-browser-extension/dist, pin it, and sign in with your Forge URL + admin password.';
+    }
+    return {
+      ok: false,
+      error: friendly,
+      duration_ms: Date.now() - t0,
+    };
+  }
+  const r = (value || {}) as { ok?: boolean; url?: string; error?: string };
+  return {
+    ok: !!r.ok,
+    message: r.ok ? `Session active${r.url ? ` · ${r.url}` : ''}` : undefined,
+    error: r.ok ? undefined : (r.error || 'login required'),
+    duration_ms: Date.now() - t0,
+  };
+}
+
+export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params;
+  const def = getConnector(id);
+  if (!def) return NextResponse.json({ ok: false, error: 'connector not found' }, { status: 404 });
+  if (!def.test) {
+    return NextResponse.json({ ok: false, error: 'connector has no test block' }, { status: 400 });
+  }
+  const inst = getInstalledConnector(id);
+  if (!inst) {
+    return NextResponse.json({ ok: false, error: 'connector not installed' }, { status: 400 });
+  }
+
+  const probe = def.test.probe || 'http';
+  const r = probe === 'browser'
+    ? await runBrowserProbe(def, inst.config)
+    : await runHttpProbe(def.test, inst.config);
+  return NextResponse.json(r);
+}

package/app/api/connectors/install-local/route.ts

@@ -0,0 +1,211 @@
+/**
+ * POST /api/connectors/install-local
+ *
+ * Install a connector from a user-supplied manifest. Two flavours:
+ *
+ *   multipart/form-data with field `file`:
+ *     - .yaml / .yml  → single-file manifest
+ *     - .zip          → multi-file bundle (must contain manifest.yaml
+ *                       at the root; may add README.md, icon.svg,
+ *                       tools/*.js, etc.)
+ *
+ *   application/json body `{ yaml: "...", id?: "..." }`:
+ *     - convenience path for callers that already have the YAML in
+ *       memory (Forge Help AI, internal scripts). `id` is optional
+ *       — if missing, parsed from the manifest.
+ *
+ * Behaviour:
+ *   1. Validate the manifest has `id`, `name`, and at least `tools` or
+ *      `connectors[]`.
+ *   2. Write the manifest (and any zip siblings) to
+ *      <dataDir>/connectors/<id>/.
+ *   3. Register/upsert the row in connector-configs.json with the
+ *      manifest's version as installed_version, preserving any prior
+ *      user-supplied settings (so re-installing a tweaked version
+ *      doesn't blow away a PAT).
+ *
+ * Marketplace UI distinguishes "local" connectors from "registry"
+ * connectors by membership in the registry cache — no extra source
+ * field on disk.
+ */
+
+import { NextResponse } from 'next/server';
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
+import { join, normalize, sep } from 'node:path';
+import AdmZip from 'adm-zip';
+import YAML from 'yaml';
+import { getDataDir } from '@/lib/dirs';
+import { installConnector } from '@/lib/connectors/registry';
+
+const MAX_ZIP_BYTES = 5 * 1024 * 1024;          // 5 MB
+const MAX_FILE_BYTES = 1 * 1024 * 1024;         // 1 MB per file inside the zip
+const MAX_FILES_IN_ZIP = 50;
+
+interface ParsedManifest {
+  id: string;
+  name: string;
+  version?: string;
+}
+
+function parseManifest(yaml: string): ParsedManifest {
+  let def: any;
+  try {
+    def = YAML.parse(yaml);
+  } catch (e) {
+    throw new Error(`invalid YAML: ${(e as Error).message}`);
+  }
+  if (!def?.id || typeof def.id !== 'string') {
+    throw new Error('manifest.id is required');
+  }
+  if (!/^[a-z0-9][a-z0-9_-]*$/.test(def.id)) {
+    throw new Error(`manifest.id "${def.id}" must be lowercase alphanumerics + hyphens/underscores`);
+  }
+  if (!def.name || typeof def.name !== 'string') {
+    throw new Error('manifest.name is required');
+  }
+  if (!def.tools && !(Array.isArray(def.connectors) && def.connectors.length)) {
+    throw new Error('manifest must declare `tools` or `connectors[]`');
+  }
+  return { id: def.id, name: def.name, version: def.version };
+}
+
+function safeEntryPath(name: string): string | null {
+  // Reject absolute paths, parent-dir escapes, leading slashes.
+  if (!name || name.startsWith('/') || name.includes('..')) return null;
+  const normalized = normalize(name).replace(/^[/\\]+/, '');
+  if (normalized.split(sep).some((seg) => seg === '..' || seg === '')) return null;
+  return normalized;
+}
+
+function ensureDir(p: string): void {
+  if (!existsSync(p)) mkdirSync(p, { recursive: true, mode: 0o700 });
+}
+
+interface InstallResult {
+  ok: boolean;
+  id?: string;
+  version?: string;
+  files_written?: number;
+  error?: string;
+}
+
+function installFromFiles(
+  manifestYaml: string,
+  extraFiles: Array<{ path: string; data: Buffer }>,
+): InstallResult {
+  let parsed: ParsedManifest;
+  try { parsed = parseManifest(manifestYaml); }
+  catch (e) { return { ok: false, error: (e as Error).message }; }
+
+  const dir = join(getDataDir(), 'connectors', parsed.id);
+  ensureDir(dir);
+
+  // Wipe stale siblings from a prior install of the same id (but
+  // preserve nothing — local install replaces the directory).
+  // For safety, we only write inside `dir`; safeEntryPath gated it.
+
+  writeFileSync(join(dir, 'manifest.yaml'), manifestYaml, { mode: 0o600 });
+  let written = 1;
+  for (const f of extraFiles) {
+    const target = join(dir, f.path);
+    ensureDir(join(target, '..'));
+    writeFileSync(target, f.data, { mode: 0o600 });
+    written += 1;
+  }
+
+  const ok = installConnector(parsed.id, manifestYaml);
+  if (!ok) {
+    return { ok: false, error: 'installConnector rejected the manifest (re-parse failed)' };
+  }
+  return {
+    ok: true,
+    id: parsed.id,
+    version: parsed.version || '0.0.0',
+    files_written: written,
+  };
+}
+
+export async function POST(req: Request) {
+  const ct = req.headers.get('content-type') || '';
+
+  // ── JSON path: { yaml: "...", id?: "..." } ─────────────────
+  if (ct.includes('application/json')) {
+    let body: any = {};
+    try { body = await req.json(); } catch {}
+    const yaml = typeof body?.yaml === 'string' ? body.yaml : '';
+    if (!yaml) {
+      return NextResponse.json({ ok: false, error: 'yaml field is required' }, { status: 400 });
+    }
+    const r = installFromFiles(yaml, []);
+    return NextResponse.json(r, { status: r.ok ? 200 : 400 });
+  }
+
+  // ── multipart: file = .yaml | .yml | .zip ──────────────────
+  if (ct.includes('multipart/form-data')) {
+    let form: FormData;
+    try { form = await req.formData(); }
+    catch (e) {
+      return NextResponse.json({ ok: false, error: 'invalid multipart body' }, { status: 400 });
+    }
+    const file = form.get('file');
+    if (!(file instanceof File)) {
+      return NextResponse.json({ ok: false, error: 'file field missing' }, { status: 400 });
+    }
+    if (file.size > MAX_ZIP_BYTES) {
+      return NextResponse.json({ ok: false, error: `file too large (max ${MAX_ZIP_BYTES} bytes)` }, { status: 413 });
+    }
+
+    const name = file.name.toLowerCase();
+    const buf = Buffer.from(await file.arrayBuffer());
+
+    if (name.endsWith('.yaml') || name.endsWith('.yml')) {
+      const r = installFromFiles(buf.toString('utf-8'), []);
+      return NextResponse.json(r, { status: r.ok ? 200 : 400 });
+    }
+
+    if (name.endsWith('.zip')) {
+      let zip: AdmZip;
+      try { zip = new AdmZip(buf); }
+      catch (e) {
+        return NextResponse.json({ ok: false, error: `invalid zip: ${(e as Error).message}` }, { status: 400 });
+      }
+      const entries = zip.getEntries().filter((e) => !e.isDirectory);
+      if (entries.length === 0) {
+        return NextResponse.json({ ok: false, error: 'zip is empty' }, { status: 400 });
+      }
+      if (entries.length > MAX_FILES_IN_ZIP) {
+        return NextResponse.json({ ok: false, error: `zip has too many files (max ${MAX_FILES_IN_ZIP})` }, { status: 400 });
+      }
+
+      // Locate manifest.yaml at the root.
+      const manifestEntry = entries.find((e) => {
+        const safe = safeEntryPath(e.entryName);
+        return safe === 'manifest.yaml' || safe === 'manifest.yml';
+      });
+      if (!manifestEntry) {
+        return NextResponse.json({ ok: false, error: 'zip must contain manifest.yaml at the root' }, { status: 400 });
+      }
+      const manifestYaml = manifestEntry.getData().toString('utf-8');
+
+      const extras: Array<{ path: string; data: Buffer }> = [];
+      for (const e of entries) {
+        if (e === manifestEntry) continue;
+        const safe = safeEntryPath(e.entryName);
+        if (!safe) {
+          return NextResponse.json({ ok: false, error: `unsafe path in zip: ${e.entryName}` }, { status: 400 });
+        }
+        const data = e.getData();
+        if (data.length > MAX_FILE_BYTES) {
+          return NextResponse.json({ ok: false, error: `entry too large: ${safe}` }, { status: 413 });
+        }
+        extras.push({ path: safe, data });
+      }
+      const r = installFromFiles(manifestYaml, extras);
+      return NextResponse.json(r, { status: r.ok ? 200 : 400 });
+    }
+
+    return NextResponse.json({ ok: false, error: 'unsupported file extension (expected .yaml/.yml/.zip)' }, { status: 400 });
+  }
+
+  return NextResponse.json({ ok: false, error: 'expected JSON or multipart/form-data' }, { status: 400 });
+}