@claudelaw/taichu 0.6.0

package/packages/server/src/routes/relationships.js

@@ -0,0 +1,133 @@
+/**
+ * Relationship Routes — 内容关系图谱 API
+ *
+ * GET    /api/content/:type/:id/relationships           — list all relationships
+ * POST   /api/content/:type/:id/relationships           — create relationship
+ * GET    /api/content/:type/:id/relationships/backlinks — incoming references
+ * DELETE /api/content/:type/:id/relationships/:targetId — remove relationship
+ * GET    /api/content/:type/:id/graph?depth=2           — traverse subgraph
+ */
+
+import { requireAuth } from '../middleware/auth.js';
+import {
+  getRelationships,
+  getBacklinks,
+  getAllRelationships,
+  addRelationship,
+  removeRelationship,
+  traverseGraph
+} from './relationships.js';
+import { getStore } from '../context.js';
+
+/** @param {import('./context.js').Context} ctx */
+export async function relationshipRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  // Auth required
+  const authResult = await requireAuth(ctx);
+  if (!authResult.authenticated) {
+    ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+    return;
+  }
+  ctx.actor = authResult.actor;
+
+  const store = getStore();
+  const match = pathname.match(/^\/api\/content\/([a-z][a-z0-9_]*)\/([\w-]+)\/(relationships(?:\/backlinks)?|graph)$/);
+  if (!match) {
+    ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ error: 'NOT_FOUND' }));
+    return;
+  }
+
+  const [, type, id, action] = match;
+  const doc = await store.get(id);
+  if (!doc || doc.type !== type) {
+    ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: 'Document not found' }));
+    return;
+  }
+
+  // GET /relationships — list all (outgoing + incoming)
+  if (action === 'relationships' && method === 'GET') {
+    const result = await getAllRelationships(store, id);
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify(result));
+    return;
+  }
+
+  // GET /relationships/backlinks
+  if (action === 'relationships/backlinks' && method === 'GET') {
+    const result = await getBacklinks(store, id);
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify(result));
+    return;
+  }
+
+  // POST /relationships — create
+  if (action === 'relationships' && method === 'POST') {
+    const { targetId, type, meta } = ctx.body || {};
+    if (!targetId || !type) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'targetId and type are required' }));
+      return;
+    }
+
+    try {
+      const result = await addRelationship(store, id, targetId, type, meta);
+      if (result.alreadyExists) {
+        ctx.res.writeHead(409, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'ALREADY_EXISTS', message: 'Relationship already exists' }));
+        return;
+      }
+      ctx.res.writeHead(201, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(result));
+    } catch (err) {
+      const status = err.message.includes('not found') ? 404 : 400;
+      ctx.res.writeHead(status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'RELATIONSHIP_ERROR', message: err.message }));
+    }
+    return;
+  }
+
+  // DELETE /relationships/:targetId
+  const delMatch = pathname.match(/\/relationships\/([\w-]+)$/);
+  if (delMatch && method === 'DELETE') {
+    const targetId = delMatch[1];
+    const relType = ctx.url.searchParams.get('type') || undefined;
+    try {
+      const result = await removeRelationship(store, id, targetId, relType);
+      if (result.notFound) {
+        ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: 'Relationship not found' }));
+        return;
+      }
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(result));
+    } catch (err) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'RELATIONSHIP_ERROR', message: err.message }));
+    }
+    return;
+  }
+
+  // GET /graph?depth=2&types=related_to,parent_of
+  if (action === 'graph' && method === 'GET') {
+    const depth = parseInt(ctx.url.searchParams.get('depth')) || 2;
+    const types = ctx.url.searchParams.get('types')?.split(',').filter(Boolean) || null;
+
+    try {
+      const result = await traverseGraph(store, id, { depth, types });
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ startId: id, depth, types, ...result }));
+    } catch (err) {
+      ctx.res.writeHead(500, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'GRAPH_ERROR', message: err.message }));
+    }
+    return;
+  }
+
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({ error: 'NOT_FOUND' }));
+}

package/packages/server/src/routes/rss.js

@@ -0,0 +1,92 @@
+/**
+ * RSS + Sitemap Route Handler
+ *
+ * GET /rss.xml    — RSS 2.0 feed of published articles
+ * GET /sitemap.xml — XML sitemap for search engines
+ */
+
+import { getStore } from '../context.js';
+
+export async function rssSitemapRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const store = getStore();
+
+  if (pathname === '/rss.xml') {
+    try {
+      const docs = await store.list({ type: 'article', status: 'published', limit: 20 });
+      const settingsDocs = await store.list({ type: 'site_settings', limit: 1 });
+      const site = settingsDocs[0]?.data || {};
+
+      const items = (docs || []).map(d => {
+        const title = d.data?.title || 'Untitled';
+        const desc = excerpt(d.data?.body) || title;
+        const link = `${ctx.url.protocol}//${ctx.url.host}/post/${d.data?.slug || d.id}`;
+        const date = new Date(d.updatedAt).toUTCString();
+        return `<item><title>${esc(title)}</title><link>${esc(link)}</link><description>${esc(desc)}</description><pubDate>${date}</pubDate><guid>${esc(link)}</guid></item>`;
+      }).join('\n');
+
+      const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+<channel>
+<title>${esc(site.siteName || 'Taichu CMS')}</title>
+<link>${ctx.url.protocol}//${ctx.url.host}</link>
+<description>${esc(site.siteDescription || '')}</description>
+<language>${site.language || 'zh-CN'}</language>
+<atom:link href="${ctx.url.protocol}//${ctx.url.host}/rss.xml" rel="self" type="application/rss+xml"/>
+${items}
+</channel>
+</rss>`;
+
+      ctx.res.writeHead(200, { 'Content-Type': 'application/rss+xml; charset=utf-8' });
+      ctx.res.end(xml);
+      return;
+    } catch (err) {
+      ctx.res.writeHead(500, { 'Content-Type': 'text/plain' });
+      ctx.res.end('RSS Error: ' + err.message);
+      return;
+    }
+  }
+
+  if (pathname === '/sitemap.xml') {
+    try {
+      const articles = await store.list({ type: 'article', status: 'published', limit: 1000 });
+      const pages = await store.list({ type: 'page', status: 'published', limit: 100 });
+
+      const host = `${ctx.url.protocol}//${ctx.url.host}`;
+      let urls = `<url><loc>${esc(host)}</loc><changefreq>daily</changefreq><priority>1.0</priority></url>\n`;
+
+      for (const a of (articles || [])) {
+        const slug = a.data?.slug || a.id;
+        urls += `<url><loc>${esc(host)}/post/${esc(slug)}</loc><lastmod>${new Date(a.updatedAt).toISOString()}</lastmod><changefreq>weekly</changefreq><priority>0.8</priority></url>\n`;
+      }
+      for (const p of (pages || [])) {
+        const slug = p.data?.slug || p.id;
+        urls += `<url><loc>${esc(host)}/page/${esc(slug)}</loc><changefreq>monthly</changefreq><priority>0.6</priority></url>\n`;
+      }
+
+      const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+${urls}</urlset>`;
+
+      ctx.res.writeHead(200, { 'Content-Type': 'application/xml; charset=utf-8' });
+      ctx.res.end(xml);
+      return;
+    } catch (err) {
+      ctx.res.writeHead(500, { 'Content-Type': 'text/plain' });
+      ctx.res.end('Sitemap Error: ' + err.message);
+      return;
+    }
+  }
+
+  ctx.res.writeHead(404, { 'Content-Type': 'text/plain' });
+  ctx.res.end('Not Found');
+}
+
+function esc(s) { return String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;'); }
+function excerpt(body) {
+  if (!body) return '';
+  if (typeof body === 'string') return body.substring(0, 300);
+  if (body.text) return body.text.substring(0, 300);
+  if (body.content) return body.content.map(n => n.text||'').join(' ').substring(0, 300);
+  return '';
+}

package/packages/server/src/routes/sso.js

@@ -0,0 +1,211 @@
+/**
+ * SSO Routes — 企业单点登录 (OIDC + LDAP)
+ *
+ * GET  /api/sso/providers       — 列出可用 SSO Provider
+ * GET  /api/sso/oidc            — 发起 OIDC 登录（重定向到 IdP）
+ * GET  /api/sso/oidc/callback   — OIDC 回调处理（code → token → JWT）
+ */
+
+import { getSSOProviders } from '../sso-analytics.js';
+import { createHash, createVerify } from 'node:crypto';
+import { createLogger } from '../logger.js';
+import { getStore } from '../context.js';
+
+const log = createLogger('sso');
+
+export async function ssoRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  // GET /api/sso/providers — list available SSO providers
+  if (pathname === '/api/sso/providers' && method === 'GET') {
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ providers: getSSOProviders() }));
+    return;
+  }
+
+  // GET /api/sso/oidc — redirect to IdP
+  if (pathname === '/api/sso/oidc' && method === 'GET') {
+    const issuer = process.env.TAICHU_SSO_OIDC_ISSUER;
+    const clientId = process.env.TAICHU_SSO_OIDC_CLIENT_ID;
+    if (!issuer || !clientId) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'SSO not configured. Set TAICHU_SSO_OIDC_ISSUER and TAICHU_SSO_OIDC_CLIENT_ID' }));
+      return;
+    }
+
+    const redirectUri = `http://${ctx.req.headers.host}/api/sso/oidc/callback`;
+    const state = Buffer.from(JSON.stringify({ ts: Date.now() })).toString('base64url');
+    const nonce = createHash('sha256').update(String(Date.now())).digest('hex').substring(0, 16);
+
+    const authUrl = `${issuer}/authorize?` + new URLSearchParams({
+      client_id: clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: 'openid profile email',
+      state,
+      nonce
+    }).toString();
+
+    log.info(`OIDC redirect to ${issuer}`);
+    ctx.res.writeHead(307, { Location: authUrl });
+    ctx.res.end();
+    return;
+  }
+
+  // GET /api/sso/oidc/callback — handle IdP callback
+  if (pathname === '/api/sso/oidc/callback' && method === 'GET') {
+    const code = ctx.url.searchParams.get('code');
+    const state = ctx.url.searchParams.get('state');
+    const error = ctx.url.searchParams.get('error');
+
+    if (error) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'SSO authorization failed', detail: error }));
+      return;
+    }
+    if (!code) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'Missing authorization code' }));
+      return;
+    }
+
+    const issuer = process.env.TAICHU_SSO_OIDC_ISSUER;
+    const clientId = process.env.TAICHU_SSO_OIDC_CLIENT_ID;
+    const clientSecret = process.env.TAICHU_SSO_OIDC_CLIENT_SECRET;
+    const redirectUri = `http://${ctx.req.headers.host}/api/sso/oidc/callback`;
+
+    if (!issuer || !clientId || !clientSecret) {
+      ctx.res.writeHead(500, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'OIDC not fully configured (missing CLIENT_SECRET)' }));
+      return;
+    }
+
+    try {
+      // Exchange code for tokens
+      const tokenRes = await fetch(`${issuer}/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'authorization_code',
+          code,
+          client_id: clientId,
+          client_secret: clientSecret,
+          redirect_uri: redirectUri
+        }).toString()
+      });
+
+      if (!tokenRes.ok) {
+        const errBody = await tokenRes.text();
+        log.error(`Token exchange failed: ${errBody}`);
+        ctx.res.writeHead(401, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'Token exchange failed' }));
+        return;
+      }
+
+      const tokens = await tokenRes.json();
+      const idToken = tokens.id_token;
+
+      if (!idToken) {
+        ctx.res.writeHead(401, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'No id_token received' }));
+        return;
+      }
+
+      // Decode payload without verifying signature (basic validation)
+      const payload = decodeJwtPayload(idToken);
+      if (!payload) {
+        ctx.res.writeHead(401, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'Invalid id_token' }));
+        return;
+      }
+
+      const { sub, email, name, preferred_username } = payload;
+      const username = preferred_username || email?.split('@')[0] || sub;
+      const displayName = name || username;
+
+      log.info(`OIDC login: ${email || sub} (${displayName})`);
+
+      // Find or create user
+      const store = getStore();
+      let user = null;
+      if (store) {
+        const users = await store.list({ type: 'user', limit: 100 });
+        user = users.find(u => u.data?.ssoSub === sub || u.data?.email === email);
+        if (!user) {
+          user = await store.create({
+            type: 'user',
+            data: {
+              username,
+              email: email || '',
+              displayName,
+              ssoSub: sub,
+              ssoProvider: 'oidc',
+              role: 'editor'
+            },
+            status: 'active'
+          });
+          log.info(`Created SSO user: ${username}`);
+        }
+      }
+
+      // Generate JWT session token
+      const jwt = signJwt({
+        sub: user?.id || sub,
+        username,
+        role: user?.data?.role || 'editor',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + 86400
+      });
+
+      // Return HTML page that stores token and redirects to admin
+      const adminUrl = '/admin/';
+      const html = `<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>登录中...</title></head>
+<body style="font-family:sans-serif;text-align:center;padding-top:80px;">
+<p>✅ 登录成功，正在跳转...</p>
+<script>
+localStorage.setItem('taichu_token', '${jwt}');
+localStorage.setItem('taichu_user', '${JSON.stringify({ id: user?.id, username, role: 'editor' }).replace(/'/g, "\\'")}');
+location.href = '${adminUrl}';
+</script>
+</body></html>`;
+
+      ctx.res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+      ctx.res.end(html);
+    } catch (err) {
+      log.error(`OIDC callback error: ${err.message}`);
+      ctx.res.writeHead(500, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'Internal error during SSO callback' }));
+    }
+    return;
+  }
+
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({ error: 'NOT_FOUND' }));
+}
+
+/**
+ * Decode JWT payload (no signature verification — for basic claims extraction).
+ */
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    return JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf-8'));
+  } catch { return null; }
+}
+
+/**
+ * Sign a simple JWT with HS256.
+ */
+function signJwt(payload) {
+  const secret = process.env.TAICHU_JWT_SECRET || 'taichu-dev-secret-change-me';
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const signature = createHash('sha256')
+    .update(headerB64 + '.' + payloadB64 + secret)
+    .digest('base64url');
+  return `${headerB64}.${payloadB64}.${signature}`;
+}

package/packages/server/src/routes/theme.js

@@ -0,0 +1,119 @@
+/**
+ * Theme Management API
+ *
+ * GET    /api/theme        — List available themes
+ * POST   /api/theme/upload — Upload custom theme (.zip)
+ * DELETE /api/theme/:name  — Delete custom theme
+ * POST   /api/theme/activate/:name — Activate a theme
+ */
+
+import { writeFileSync, mkdirSync, existsSync, unlinkSync, rmdirSync, readdirSync, createWriteStream } from 'node:fs';
+import { join } from 'node:path';
+import { pipeline } from 'node:stream';
+import { requireAuth } from '../middleware/auth.js';
+import { createLogger } from '../logger.js';
+
+const log = createLogger('theme');
+const THEME_DIR = join(process.cwd(), '.taichu', 'themes');
+const PUBLIC_THEME_DIR = join(import.meta.dirname, '..', 'public');
+
+// Built-in themes
+const BUILT_IN_THEMES = [
+  { name: 'default', label: '默认博客主题', description: 'Taichu 内置简洁博客主题，支持文章/页面/分类/搜索/分页', active: true, builtin: true },
+  { name: 'theme-minimal', label: '极简主题', description: '衬线字体 + 留白布局，适合个人博客和作品集', active: false, builtin: true, dir: 'theme-minimal' }
+];
+
+/**
+ * Get active theme name from settings or default.
+ */
+function getActiveTheme(store) {
+  return store?._settings?.theme || 'default';
+}
+
+export async function themeRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  // GET /api/theme — list themes
+  if (pathname === '/api/theme' && method === 'GET') {
+    // No auth required for listing
+    const customThemes = [];
+    if (existsSync(THEME_DIR)) {
+      readdirSync(THEME_DIR, { withFileTypes: true }).forEach(entry => {
+        if (entry.isDirectory()) customThemes.push(entry.name);
+      });
+    }
+
+    const activeTheme = 'default'; // TODO: read from settings
+    const all = BUILT_IN_THEMES.map(t => ({
+      ...t,
+      active: t.name === activeTheme
+    }));
+
+    for (const name of customThemes) {
+      if (!all.find(t => t.name === name)) {
+        all.push({ name, label: name, description: '自定义主题', active: name === activeTheme, builtin: false });
+      }
+    }
+
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ themes: all, active: activeTheme }));
+    return;
+  }
+
+  // Auth required for management
+  const authResult = await requireAuth(ctx);
+  if (!authResult.authenticated) {
+    ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+    return;
+  }
+
+  // POST /api/theme/activate/:name
+  const actMatch = pathname.match(/^\/api\/theme\/activate\/([\w-]+)$/);
+  if (actMatch && method === 'POST') {
+    const name = actMatch[1];
+    const isValid = BUILT_IN_THEMES.some(t => t.name === name) || existsSync(join(THEME_DIR, name));
+    if (!isValid) {
+      ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'Theme not found' }));
+      return;
+    }
+    // Store active theme in settings (simplified: write to env or config)
+    try {
+      const store = ctx.store;
+      if (store && store._settings !== undefined) store._settings = store._settings || {};
+      if (store) store._settings = { ...(store._settings || {}), theme: name };
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ success: true, active: name }));
+    } catch (e) {
+      ctx.res.writeHead(500, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: e.message }));
+    }
+    return;
+  }
+
+  // DELETE /api/theme/:name
+
+  // DELETE /api/theme/:name
+  const delMatch = pathname.match(/^\/api\/theme\/([\w-]+)$/);
+  if (delMatch && method === 'DELETE') {
+    const name = delMatch[1];
+    if (name === 'default') {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'Cannot delete default theme' }));
+      return;
+    }
+    const dir = join(THEME_DIR, name);
+    if (existsSync(dir)) {
+      readdirSync(dir).forEach(f => unlinkSync(join(dir, f)));
+      rmdirSync(dir);
+    }
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ success: true }));
+    return;
+  }
+
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({ error: 'NOT_FOUND' }));
+}

package/packages/server/src/routes/webhook.js

@@ -0,0 +1,94 @@
+/**
+ * Webhook Routes
+ *
+ * POST   /api/webhooks       — Register webhook
+ * GET    /api/webhooks        — List webhooks
+ * DELETE /api/webhooks/:id    — Delete webhook
+ * GET    /api/webhooks/log    — Delivery log
+ */
+
+import { requireAuth } from '../middleware/auth.js';
+import { getWebhookManager } from '../webhook.js';
+import { getStore } from '../context.js';
+
+export async function webhookRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  const wm = getWebhookManager(getStore());
+
+  // POST /api/webhooks — register
+  if (pathname === '/api/webhooks' && method === 'POST') {
+    const authResult = await requireAuth(ctx);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+
+    const { url, events, types, secret, label } = ctx.body || {};
+    if (!url) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'url is required' }));
+      return;
+    }
+
+    try {
+      const wh = await wm.register({ url, events, types, secret, label });
+      ctx.res.writeHead(201, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ webhook: wh, secret: wh.secret, note: 'Save this secret — it will not be shown again' }));
+    } catch (err) {
+      ctx.res.writeHead(500, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'INTERNAL_ERROR', message: err.message }));
+    }
+    return;
+  }
+
+  // GET /api/webhooks — list
+  if (pathname === '/api/webhooks' && method === 'GET') {
+    const authResult = await requireAuth(ctx);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+
+    const hooks = await wm.list();
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ webhooks: hooks.map(h => ({ id: h.id, url: h.url, label: h.label, events: h.events, types: h.types, active: h.active, stats: h.stats, createdAt: h.createdAt })) }));
+    return;
+  }
+
+  // GET /api/webhooks/log — delivery log
+  if (pathname === '/api/webhooks/log' && method === 'GET') {
+    const authResult = await requireAuth(ctx);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ log: wm.getLog(), stats: wm.getStats() }));
+    return;
+  }
+
+  // DELETE /api/webhooks/:id
+  const delMatch = pathname.match(/^\/api\/webhooks\/([\w-]+)$/);
+  if (delMatch && method === 'DELETE') {
+    const authResult = await requireAuth(ctx);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+
+    await wm.remove(delMatch[1]);
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ success: true }));
+    return;
+  }
+
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({ error: 'NOT_FOUND' }));
+}