@claudelaw/taichu 0.6.0

package/packages/server/src/router.js

@@ -0,0 +1,194 @@
+/**
+ * Router — Taichu 路由分发
+ *
+ * 基于 URL 模式匹配的轻量路由。
+ * 支持：
+ *   - 静态路由：/api/health
+ *   - 参数路由：/api/content/:type/:id
+ *   - HTTP 方法区分
+ */
+
+import { apiRoutes } from './routes/api.js';
+import { authRoutes } from './routes/auth.js';
+import { graphqlRoutes } from './routes/graphql.js';
+import { mediaRoutes } from './routes/media.js';
+import { collabRoutes } from './routes/collab.js';
+import { webhookRoutes } from './routes/webhook.js';
+import { auditRoutes, revisionRoutes } from './routes/audit.js';
+import { relationshipRoutes } from './routes/relationships.js';
+import { pluginMarketplaceRoutes } from './routes/plugin-marketplace.js';
+import { activityPubRoutes } from './routes/activitypub.js';
+import { workflowRoutes } from './routes/workflow.js';
+import { wechatRoutes } from './routes/wechat.js';
+import { ssoRoutes } from './routes/sso.js';
+import { themeRoutes } from './routes/theme.js';
+import { rssSitemapRoutes } from './routes/rss.js';
+import { exportRoutes } from './routes/export.js';
+import { serveStatic } from './static.js';
+import { createMediaStore } from './media-store.js';
+import { renderTheme, serveThemeAsset } from './theme-engine.js';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PUBLIC_DIR = join(__dirname, '..', 'public');
+
+/**
+ * @param {import('./context.js').Context} ctx
+ */
+export async function router(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  // Auth routes
+  if (pathname.startsWith('/api/auth')) {
+    return authRoutes(ctx);
+  }
+
+  // ActivityPub & WebFinger (no auth required for federation)
+  if (pathname.startsWith('/api/activitypub') || pathname.startsWith('/.well-known/')) {
+    return activityPubRoutes(ctx);
+  }
+
+  // GraphQL API
+  if (pathname === '/api/graphql') {
+    return graphqlRoutes(ctx);
+  }
+
+  // Collaboration & WebSocket
+  if (pathname.startsWith('/api/collab') || pathname === '/api/ws') {
+    return collabRoutes(ctx);
+  }
+
+  // Webhooks
+  if (pathname.startsWith('/api/webhooks')) {
+    return webhookRoutes(ctx);
+  }
+
+  // Audit, pipelines, site settings
+  if (pathname.startsWith('/api/audit') || pathname.startsWith('/api/pipelines') || pathname === '/api/site-settings') {
+    return auditRoutes(ctx);
+  }
+
+  // Workflow routes (review/approve/reject)
+  if (pathname.startsWith('/api/workflow')) {
+    return workflowRoutes(ctx);
+  }
+
+  // SSO routes
+  if (pathname.startsWith('/api/sso')) {
+    return ssoRoutes(ctx);
+  }
+
+  // Theme management routes
+  if (pathname.startsWith('/api/theme')) {
+    return themeRoutes(ctx);
+  }
+
+  // WeChat integration routes
+  if (pathname.startsWith('/api/wechat')) {
+    return wechatRoutes(ctx);
+  }
+
+  // Media routes (upload/list/delete)
+  if (pathname.startsWith('/api/media')) {
+    return mediaRoutes(ctx);
+  }
+
+  // Revision routes (must precede content routes)
+  const revMatch = pathname.match(/^\/api\/content\/([a-z][a-z0-9_]*)\/([\w-]+)\/(revisions.*)$/);
+  if (revMatch) {
+    return revisionRoutes(ctx, revMatch[1], revMatch[2]);
+  }
+
+  // Relationship routes (must precede content routes)
+  const relMatch = pathname.match(/^\/api\/content\/([a-z][a-z0-9_]*)\/([\w-]+)\/(relationships|graph)/);
+  if (relMatch) {
+    return relationshipRoutes(ctx);
+  }
+
+  // Plugin marketplace routes
+  if (pathname.startsWith('/api/plugins')) {
+    return pluginMarketplaceRoutes(ctx);
+  }
+
+  // Content API routes
+  if (pathname.startsWith('/api')) {
+    return apiRoutes(ctx);
+  }
+
+  // Admin SPA static files
+  if (pathname.startsWith('/admin')) {
+    const served = await serveStatic(ctx, PUBLIC_DIR, pathname);
+    if (served) return;
+  }
+
+  // Uploaded media files
+  if (pathname.startsWith('/uploads/')) {
+    const mediaStore = createMediaStore();
+    const relativePath = pathname.slice('/uploads/'.length);
+    const served = await serveStatic(ctx, mediaStore.uploadDir, relativePath);
+    if (served) return;
+  }
+
+  // Theme static assets
+  if (pathname.startsWith('/theme/')) {
+    const assetPath = pathname.replace('/theme/', '');
+    const served = await serveThemeAsset(ctx, assetPath);
+    if (served) return;
+  }
+
+  // Public static files (ws-test.html, etc.)
+  {
+    const served = await serveStatic(ctx, PUBLIC_DIR, pathname);
+    if (served) return;
+  }
+
+  // Health check
+  if (pathname === '/health') {
+    const mem = process.memoryUsage();
+    const { getWSS } = await import('./websocket.js');
+    const { getConfig } = await import('./config.js');
+    const cfg = getConfig();
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({
+      status: 'ok',
+      name: 'taichu',
+      version: cfg.version,
+      uptime: Math.floor(process.uptime()),
+      node: process.version,
+      env: cfg.nodeEnv,
+      store: cfg.storage,
+      memory: {
+        rss: Math.round(mem.rss / 1024 / 1024) + 'MB',
+        heapUsed: Math.round(mem.heapUsed / 1024 / 1024) + 'MB'
+      },
+      ws: getWSS().getStats(),
+      timestamp: new Date().toISOString()
+    }));
+    return;
+  }
+
+  // Content Export
+  if (pathname.startsWith('/api/export')) {
+    const handled = await exportRoutes(ctx);
+    if (handled) return;
+  }
+
+  // RSS & Sitemap
+  if (pathname === '/rss.xml' || pathname === '/sitemap.xml') {
+    return rssSitemapRoutes(ctx);
+  }
+
+  // Frontend Theme — catch-all for non-API, non-admin paths
+  if (!pathname.startsWith('/api') && !pathname.startsWith('/admin') && !pathname.startsWith('/uploads')) {
+    return renderTheme(ctx);
+  }
+
+  // 404
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({
+    error: 'NOT_FOUND',
+    message: `Route not found: ${method} ${pathname}`
+  }));
+}

package/packages/server/src/routes/activitypub.js

@@ -0,0 +1,140 @@
+/**
+ * ActivityPub Routes
+ *
+ * GET  /.well-known/webfinger?resource=acct:taichu@host   — WebFinger discovery
+ * GET  /api/activitypub/actor                              — Actor JSON-LD
+ * GET  /api/activitypub/outbox                             — Activity outbox
+ * POST /api/activitypub/inbox                              — Receive activities
+ * GET  /api/activitypub/followers                          — Followers collection
+ */
+
+import {
+  actorObject,
+  webfingerResponse,
+  createContentActivity,
+  processInboxActivity
+} from '../activitypub.js';
+import { getStore } from '../context.js';
+import { createLogger } from '../logger.js';
+
+const log = createLogger('ap-routes');
+
+const AP_CONTENT_TYPE = 'application/activity+json; charset=utf-8';
+
+/** @param {import('../context.js').Context} ctx */
+export async function activityPubRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  // WebFinger
+  if (pathname === '/.well-known/webfinger' && method === 'GET') {
+    const resource = ctx.url.searchParams.get('resource');
+    if (!resource) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'Missing "resource" parameter' }));
+      return;
+    }
+    const result = webfingerResponse(resource);
+    ctx.res.writeHead(200, { 'Content-Type': 'application/jrd+json' });
+    ctx.res.end(JSON.stringify(result));
+    return;
+  }
+
+  // NodeInfo (for fediverse discovery)
+  if (pathname === '/.well-known/nodeinfo' && method === 'GET') {
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({
+      links: [{ rel: 'http://nodeinfo.diaspora.software/ns/schema/2.0', href: `${getBaseUrl(ctx)}/api/activitypub/nodeinfo` }]
+    }));
+    return;
+  }
+
+  // Actor
+  if (pathname === '/api/activitypub/actor' && method === 'GET') {
+    const actor = actorObject();
+    ctx.res.writeHead(200, { 'Content-Type': AP_CONTENT_TYPE });
+    ctx.res.end(JSON.stringify(actor));
+    return;
+  }
+
+  // Outbox
+  if (pathname === '/api/activitypub/outbox' && method === 'GET') {
+    const store = getStore();
+    const activities = [];
+    try {
+      // Get recently published content as activities
+      const docs = await store.list({ type: 'article', status: 'published', limit: 20, orderBy: 'updated_at', order: 'desc' });
+      for (const doc of docs) {
+        activities.push(createContentActivity(doc));
+      }
+    } catch (_) {}
+
+    const outbox = {
+      '@context': 'https://www.w3.org/ns/activitystreams',
+      id: `${getBaseUrl(ctx)}/api/activitypub/outbox`,
+      type: 'OrderedCollection',
+      totalItems: activities.length,
+      orderedItems: activities
+    };
+
+    ctx.res.writeHead(200, { 'Content-Type': AP_CONTENT_TYPE });
+    ctx.res.end(JSON.stringify(outbox));
+    return;
+  }
+
+  // Followers
+  if (pathname === '/api/activitypub/followers' && method === 'GET') {
+    ctx.res.writeHead(200, { 'Content-Type': AP_CONTENT_TYPE });
+    ctx.res.end(JSON.stringify({
+      '@context': 'https://www.w3.org/ns/activitystreams',
+      id: `${getBaseUrl(ctx)}/api/activitypub/followers`,
+      type: 'OrderedCollection',
+      totalItems: 0,
+      orderedItems: []
+    }));
+    return;
+  }
+
+  // Inbox (POST only)
+  if (pathname === '/api/activitypub/inbox' && method === 'POST') {
+    try {
+      const result = await processInboxActivity(ctx.body, ctx.req.headers);
+      if (result.accepted) {
+        ctx.res.writeHead(result.response ? 200 : 202, { 'Content-Type': AP_CONTENT_TYPE });
+        ctx.res.end(JSON.stringify(result.response || { accepted: true }));
+      } else {
+        ctx.res.writeHead(401, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: result.reason || 'Rejected' }));
+      }
+    } catch (err) {
+      log.error(`Inbox error: ${err.message}`);
+      ctx.res.writeHead(500, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'Internal error' }));
+    }
+    return;
+  }
+
+  // NodeInfo endpoint
+  if (pathname === '/api/activitypub/nodeinfo' && method === 'GET') {
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({
+      version: '2.0',
+      software: { name: 'taichu', version: '0.5.0' },
+      protocols: ['activitypub'],
+      services: { inbound: [], outbound: [] },
+      openRegistrations: false,
+      usage: { users: { total: 1 } },
+      metadata: { nodeName: 'Taichu CMS' }
+    }));
+    return;
+  }
+
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({ error: 'NOT_FOUND' }));
+}
+
+function getBaseUrl(ctx) {
+  const proto = ctx.req.headers['x-forwarded-proto'] || 'http';
+  const host = ctx.req.headers['x-forwarded-host'] || ctx.req.headers.host || 'localhost';
+  return `${proto}://${host}`;
+}

package/packages/server/src/routes/api.js

@@ -0,0 +1,363 @@
+/**
+ * API Routes
+ *
+ * 所有 /api/* 的路由处理。
+ *
+ * 端点设计：
+ *   GET    /api/content/:type          — 列出某类型的所有文档
+ *   GET    /api/content/:type/:id      — 获取单个文档
+ *   POST   /api/content/:type          — 创建文档
+ *   PUT    /api/content/:type/:id      — 更新文档
+ *   DELETE /api/content/:type/:id      — 删除文档
+ *   GET    /api/content-types          — 列出所有已注册的内容类型
+ *   GET    /api/content-types/:name    — 获取内容类型 Schema
+ *   GET    /api/health                 — 健康检查
+ */
+
+import { NotFoundError, ValidationError } from '../../../core/src/errors.js';
+import { search as vectorSearch } from '../search.js';
+import { requireAuth, requireScopedAuth, optionalAuth } from '../middleware/auth.js';
+
+// Built-in content type registry
+// Plugins/extensions can register additional types via hooks
+const _contentTypes = new Map();
+
+/**
+ * Register a content type for API exposure.
+ */
+export function registerContentType(ct) {
+  _contentTypes.set(ct.name, ct);
+}
+
+/**
+ * Get all registered content types (for GraphQL resolver).
+ */
+export function getContentTypes() {
+  return Array.from(_contentTypes.values()).map(ct => ({
+    name: ct.name,
+    label: ct.label,
+    description: ct.description,
+    schemaOrg: ct.schemaOrg || null,
+    fieldCount: Object.keys(ct.fields).length
+  }));
+}
+
+/**
+ * @param {import('../context.js').Context} ctx
+ */
+export async function apiRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  // /api/health
+  if (pathname === '/api/health') {
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({
+      status: 'ok',
+      name: 'taichu',
+      version: '0.1.0',
+      uptime: process.uptime()
+    }));
+    return;
+  }
+
+  // /api/search?q=xxx&type=article
+  if (pathname === '/api/search' && method === 'GET') {
+    const q = ctx.url.searchParams.get('q') || '';
+    const type = ctx.url.searchParams.get('type') || null;
+
+    if (!q || q.length < 2) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'Query must be at least 2 characters' }));
+      return;
+    }
+
+    const results = vectorSearch(q, 20);
+    const docs = [];
+    for (const { docId, score } of results) {
+      try {
+        const doc = await ctx.store.get(docId);
+        if (doc && (!type || doc.type === type)) {
+          docs.push({ ...doc, _score: Math.round(score * 100) / 100 });
+        }
+      } catch (e) { /* skip */ }
+    }
+
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ query: q, docs, total: docs.length }));
+    return;
+  }
+
+  // /api/content-types
+  if (pathname === '/api/content-types' && method === 'GET') {
+    const types = Array.from(_contentTypes.values()).map(ct => ({
+      name: ct.name,
+      label: ct.label,
+      description: ct.description,
+      schemaOrg: ct.schemaOrg,
+      fields: ct.fields,
+      fieldCount: Object.keys(ct.fields).length
+    }));
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ types }));
+    return;
+  }
+
+  // /api/content-types/:name
+  const ctMatch = pathname.match(/^\/api\/content-types\/([a-z][a-z0-9_]*)$/);
+  if (ctMatch && method === 'GET') {
+    const ct = _contentTypes.get(ctMatch[1]);
+    if (!ct) {
+      ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: `Content type "${ctMatch[1]}" not found` }));
+      return;
+    }
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify(ct.toJSONSchema()));
+    return;
+  }
+
+  // /api/content/:type
+  const listMatch = pathname.match(/^\/api\/content\/([a-z][a-z0-9_]*)$/);
+  if (listMatch && method === 'GET') {
+    // Auth required by default; set TAICHU_PUBLIC_READ=1 to allow anonymous GET
+    if (!process.env.TAICHU_PUBLIC_READ) {
+      const authResult = await requireAuth(ctx);
+      if (!authResult.authenticated) {
+        ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+        return;
+      }
+      ctx.actor = authResult.actor;
+    } else {
+      await optionalAuth(ctx);
+    }
+
+    const type = listMatch[1];
+    const queryOpts = Object.fromEntries(ctx.url.searchParams);
+    // Multi-tenant: enforce tenant filter unless admin explicitly overrides
+    if (ctx.multiTenant && !queryOpts.tenantId) {
+      queryOpts.tenantId = ctx.tenantId;
+    }
+    const docs = await ctx.store.list({ type, ...queryOpts });
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ docs, total: docs.length }));
+    return;
+  }
+
+  if (listMatch && method === 'POST') {
+    // Require scoped auth for content creation
+    // Exception: comments can be submitted publicly
+    const type = listMatch[1];
+    if (type !== 'comment') {
+      const authResult = await requireScopedAuth(ctx, `${type}:write`);
+      if (!authResult.authenticated) {
+        ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+        return;
+      }
+      ctx.actor = authResult.actor;
+    } else {
+      await optionalAuth(ctx);
+    }
+    const ct = _contentTypes.get(type);
+    if (!ct) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: `Unknown content type: "${type}"` }));
+      return;
+    }
+
+    // Validate
+    const validation = ct.validate(ctx.body?.data || {});
+    if (!validation.valid) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', errors: validation.errors }));
+      return;
+    }
+
+    // Scheduled publishing: validate publishedAt when status='scheduled'
+    const requestedStatus = ctx.body.status;
+    if (requestedStatus === 'scheduled') {
+      const pubAt = ctx.body.publishedAt || ctx.body.data?.publishedAt;
+      if (!pubAt) {
+        ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'publishedAt is required when status is "scheduled"' }));
+        return;
+      }
+      if (new Date(pubAt) <= new Date()) {
+        ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'publishedAt must be in the future for scheduled content' }));
+        return;
+      }
+    }
+
+    // Run beforeCreate hooks
+    let payload = { type, data: ctx.body.data, status: ctx.body.status, publishedAt: ctx.body.publishedAt || null, tenantId: ctx.tenantId };
+    payload = await ctx.hooks.run('beforeCreate', payload, ctx);
+
+    const doc = await ctx.store.create(payload);
+
+    // Run afterCreate hooks
+    await ctx.hooks.run('afterCreate', doc, ctx);
+
+    ctx.res.writeHead(201, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify(doc));
+    return;
+  }
+
+  // /api/content/:type/batch — bulk operations
+  const batchMatch = pathname.match(/^\/api\/content\/([a-z][a-z0-9_]*)\/batch$/);
+  if (batchMatch && method === 'POST') {
+    const authResult = await requireScopedAuth(ctx, `${batchMatch[1]}:write`);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+    ctx.actor = authResult.actor;
+
+    const { action, ids } = ctx.body || {};
+    if (!action || !Array.isArray(ids) || !ids.length) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'action and ids[] are required' }));
+      return;
+    }
+
+    const validActions = ['delete', 'publish', 'archive'];
+    if (!validActions.includes(action)) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: `action must be one of: ${validActions.join(', ')}` }));
+      return;
+    }
+
+    const results = { success: 0, failed: 0, errors: [] };
+    for (const id of ids) {
+      try {
+        const doc = await ctx.store.get(id);
+        if (!doc || doc.type !== batchMatch[1]) {
+          results.failed++;
+          results.errors.push({ id, error: 'Not found or wrong type' });
+          continue;
+        }
+
+        if (action === 'delete') {
+          await ctx.store.delete(id);
+          await ctx.hooks.run('afterDelete', { id, type: batchMatch[1] }, ctx);
+        } else {
+          await ctx.store.update(id, { status: action === 'publish' ? 'published' : 'archived' });
+        }
+        results.success++;
+      } catch (e) {
+        results.failed++;
+        results.errors.push({ id, error: e.message });
+      }
+    }
+
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify(results));
+    return;
+  }
+
+  // /api/content/:type/:id
+  const itemMatch = pathname.match(/^\/api\/content\/([a-z][a-z0-9_]*)\/([\w-]+)$/);
+  if (itemMatch) {
+    const [, type, id] = itemMatch;
+
+    if (method === 'GET') {
+      if (!process.env.TAICHU_PUBLIC_READ) {
+        const authResult = await requireAuth(ctx);
+        if (!authResult.authenticated) {
+          ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+          ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+          return;
+        }
+        ctx.actor = authResult.actor;
+      } else {
+        await optionalAuth(ctx);
+      }
+
+      const doc = await ctx.store.get(id);
+      if (!doc) {
+        ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: `Document "${id}" not found` }));
+        return;
+      }
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(doc));
+      return;
+    }
+
+    if (method === 'PUT') {
+      const authResult = await requireScopedAuth(ctx, `${type}:write`);
+      if (!authResult.authenticated) {
+        ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+        return;
+      }
+      ctx.actor = authResult.actor;
+
+      // Scheduled publishing: validate publishedAt when status='scheduled'
+      const requestedStatus = ctx.body.status;
+      if (requestedStatus === 'scheduled') {
+        const pubAt = ctx.body.publishedAt || ctx.body.data?.publishedAt;
+        if (!pubAt) {
+          ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+          ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'publishedAt is required when status is "scheduled"' }));
+          return;
+        }
+        if (new Date(pubAt) <= new Date()) {
+          ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+          ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'publishedAt must be in the future for scheduled content' }));
+          return;
+        }
+      }
+
+      let payload = { id, type, data: ctx.body.data, status: ctx.body.status, publishedAt: ctx.body.publishedAt || undefined };
+      payload = await ctx.hooks.run('beforeUpdate', payload, ctx);
+
+      const doc = await ctx.store.update(id, payload);
+      if (!doc) {
+        ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: `Document "${id}" not found` }));
+        return;
+      }
+
+      await ctx.hooks.run('afterUpdate', doc, ctx);
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(doc));
+      return;
+    }
+
+    if (method === 'DELETE') {
+      const authResult = await requireScopedAuth(ctx, `${type}:delete`);
+      if (!authResult.authenticated) {
+        ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+        return;
+      }
+      ctx.actor = authResult.actor;
+
+      const basePayload = { id, type };
+      const payload = await ctx.hooks.run('beforeDelete', basePayload, ctx);
+
+      const deleted = await ctx.store.delete(id);
+      if (!deleted) {
+        ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: `Document "${id}" not found` }));
+        return;
+      }
+
+      await ctx.hooks.run('afterDelete', { id, type }, ctx);
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ success: true }));
+      return;
+    }
+  }
+
+  // 404 for API
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({
+    error: 'NOT_FOUND',
+    message: `API route not found: ${method} ${pathname}`
+  }));
+}