@plank-cms/plank 0.30.1 → 0.31.1

package/dist/admin/index.html

@@ -12,7 +12,7 @@
       href="https://fonts.googleapis.com/css2?family=Google+Sans:ital,opsz,wght@0,17..18,400..700;1,17..18,400..700&display=swap"
       rel="stylesheet"
     />
-    <script type="module" crossorigin src="/admin/assets/index-RfZ7f9RV.js"></script>
+    <script type="module" crossorigin src="/admin/assets/index-laQsuJ53.js"></script>
     <link rel="stylesheet" crossorigin href="/admin/assets/index-CHJ8C--M.css">
   </head>
   <body>

package/dist/index.js

@@ -93,7 +93,7 @@ function getUpdateScriptCommand(name) {
 }
 
 // src/commands/init.ts
-var PACKAGE_VERSION = "0.30.1";
+var PACKAGE_VERSION = "0.31.1";
 function generateSecret() {
   return randomBytes(32).toString("hex");
 }
@@ -203,7 +203,7 @@ import { dirname, join as join3, resolve as resolve2 } from "path";
 async function start() {
   config({ path: resolve2(process.cwd(), ".env") });
   process.env.PLANK_ADMIN_DIST = join3(dirname(fileURLToPath(import.meta.url)), "admin");
-  const { start: startServer } = await import("./server-BDQYF2ZA.js");
+  const { start: startServer } = await import("./server-JNWXLTI3.js");
   await startServer();
 }
 

package/dist/migrations/034_password_reset_tokens.sql

@@ -0,0 +1,14 @@
+CREATE TABLE IF NOT EXISTS plank_password_reset_tokens (
+  id         TEXT PRIMARY KEY,
+  user_id    TEXT NOT NULL REFERENCES plank_users(id) ON DELETE CASCADE,
+  token_hash VARCHAR(255) NOT NULL UNIQUE,
+  expires_at TIMESTAMP NOT NULL,
+  used_at    TIMESTAMP,
+  created_at TIMESTAMP NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_plank_password_reset_tokens_user_id
+  ON plank_password_reset_tokens(user_id);
+
+CREATE INDEX IF NOT EXISTS idx_plank_password_reset_tokens_expires_at
+  ON plank_password_reset_tokens(expires_at);

package/dist/{server-BDQYF2ZA.js → server-JNWXLTI3.js}

@@ -653,8 +653,8 @@ import express from "express";
 import cors from "cors";
 import helmet from "helmet";
 import { readFile as readFile5 } from "fs/promises";
-import { join as join6, dirname as dirname3 } from "path";
-import { fileURLToPath as fileURLToPath4 } from "url";
+import { join as join7, dirname as dirname4 } from "path";
+import { fileURLToPath as fileURLToPath5 } from "url";
 
 // ../core/dist/routes/auth.js
 import { Router } from "express";
@@ -662,6 +662,7 @@ import { Router } from "express";
 // ../core/dist/controllers/auth.js
 import bcrypt from "bcryptjs";
 import jwt from "jsonwebtoken";
+import { createHash, randomBytes as randomBytes6 } from "crypto";
 
 // ../../node_modules/.pnpm/@otplib+core@13.4.0/node_modules/@otplib/core/dist/index.js
 var i = class extends Error {
@@ -2143,7 +2144,8 @@ function decrypt(stored) {
 
 // ../core/dist/lib/settings.js
 var SENSITIVE_FIELDS = {
-  media: /* @__PURE__ */ new Set(["s3.secret_access_key", "r2.secret_access_key"])
+  media: /* @__PURE__ */ new Set(["s3.secret_access_key", "r2.secret_access_key"]),
+  mailing: /* @__PURE__ */ new Set(["smtp.password"])
 };
 function isSensitive(namespace, key) {
   return SENSITIVE_FIELDS[namespace]?.has(key) ?? false;
@@ -2474,6 +2476,113 @@ async function resolveUniquePublicAuthorSlug(input, excludeUserId) {
   }
 }
 
+// ../core/dist/lib/mailer.js
+function parseBoolean(value, fallback = false) {
+  if (value == null)
+    return fallback;
+  return value.toLowerCase() === "true";
+}
+function parsePort(value) {
+  const port = Number(value ?? 587);
+  return Number.isFinite(port) ? port : 587;
+}
+function formatFrom(name, email) {
+  if (!name.trim())
+    return email;
+  return `"${name.replaceAll('"', '\\"')}" <${email}>`;
+}
+async function getMailingSettings() {
+  const settings = await getSettings("mailing");
+  return {
+    enabled: parseBoolean(settings.enabled),
+    host: settings["smtp.host"] ?? "",
+    port: parsePort(settings["smtp.port"]),
+    secure: parseBoolean(settings["smtp.secure"]),
+    user: settings["smtp.user"] ?? "",
+    password: settings["smtp.password"] ?? "",
+    fromEmail: settings["from.email"] ?? "",
+    fromName: settings["from.name"] ?? "Plank CMS",
+    replyTo: settings.reply_to ?? ""
+  };
+}
+async function sendMail(input) {
+  const settings = await getMailingSettings();
+  if (!settings.enabled)
+    throw new Error("Mailing is disabled.");
+  if (!settings.host || !settings.user || !settings.password || !settings.fromEmail) {
+    throw new Error("Mailing is not configured.");
+  }
+  const nodemailer = await import("nodemailer");
+  const transporter = nodemailer.createTransport({
+    host: settings.host,
+    port: settings.port,
+    secure: settings.secure,
+    auth: {
+      user: settings.user,
+      pass: settings.password
+    }
+  });
+  await transporter.sendMail({
+    from: formatFrom(settings.fromName, settings.fromEmail),
+    to: input.to,
+    subject: input.subject,
+    html: input.html,
+    text: input.text,
+    replyTo: settings.replyTo || void 0
+  });
+}
+
+// ../core/dist/lib/mailTemplates.js
+import { existsSync, readdirSync, readFileSync } from "fs";
+import { dirname as dirname2, join as join4 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import handlebars from "handlebars";
+var templates = /* @__PURE__ */ new Map();
+var partialsLoaded = false;
+function templatesRoot() {
+  const moduleDir = dirname2(fileURLToPath2(import.meta.url));
+  const candidates = [
+    join4(process.cwd(), "templates"),
+    join4(process.cwd(), "packages/core/templates"),
+    join4(moduleDir, "../../templates")
+  ];
+  const root = candidates.find((candidate) => existsSync(candidate));
+  if (!root)
+    return candidates[0];
+  return root;
+}
+function loadPartials() {
+  if (partialsLoaded)
+    return;
+  partialsLoaded = true;
+  const partialsDir = join4(templatesRoot(), "mail", "partials");
+  if (!existsSync(partialsDir))
+    return;
+  for (const file of readdirSync(partialsDir)) {
+    if (!file.endsWith(".hbs"))
+      continue;
+    const name = file.replace(/\.hbs$/, "");
+    const source = readFileSync(join4(partialsDir, file), "utf8");
+    handlebars.registerPartial(name, source);
+  }
+}
+handlebars.registerHelper("year", () => (/* @__PURE__ */ new Date()).getFullYear());
+function loadTemplate(name) {
+  loadPartials();
+  const cached = templates.get(name);
+  if (cached)
+    return cached;
+  const source = readFileSync(join4(templatesRoot(), `${name}.hbs`), "utf8");
+  const compiled = handlebars.compile(source);
+  templates.set(name, compiled);
+  return compiled;
+}
+function renderMailTemplate(name, data) {
+  const body = loadTemplate(`mail/${name}`)(data);
+  const base = loadTemplate("mail/base");
+  return base({ ...data, body });
+}
+
 // ../core/dist/controllers/auth.js
 var LoginSchema = z.object({
   email: z.email(),
@@ -2489,9 +2598,18 @@ var RegisterSchema = z.object({
   lastName: z.string().trim().min(1).max(100),
   password: z.string().min(8)
 });
+var RequestPasswordResetSchema = z.object({
+  email: z.email()
+});
+var ResetPasswordSchema = z.object({
+  token: z.string().min(32),
+  password: z.string().min(8)
+});
 var RATE_LIMIT_WINDOW_MS = 15 * 60 * 1e3;
 var LOGIN_RATE_LIMIT_MAX = 10;
 var LOGIN_2FA_RATE_LIMIT_MAX = 5;
+var PASSWORD_RESET_RATE_LIMIT_MAX = 5;
+var PASSWORD_RESET_EXPIRES_MS = 30 * 60 * 1e3;
 var ACCESS_TOKEN_COOKIE = "plank_session";
 var ACCESS_TOKEN_EXPIRES_SECONDS = 60 * 60 * 24 * 30;
 var REFRESH_TOKEN_COOKIE = "plank_refresh";
@@ -2567,6 +2685,27 @@ function buildRefreshToken(payload) {
 function buildChallengeToken(payload) {
   return jwt.sign(payload, process.env.PLANK_JWT_SECRET, { expiresIn: "5m" });
 }
+function hashToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}
+function adminBaseUrl(req) {
+  const referer = req.get("referer");
+  if (referer) {
+    try {
+      const url = new URL(referer);
+      if (url.pathname === "/admin" || url.pathname.startsWith("/admin/")) {
+        return `${url.origin}/admin`;
+      }
+      return url.origin;
+    } catch {
+    }
+  }
+  const origin = req.get("origin");
+  if (origin)
+    return origin;
+  const protocol = req.protocol;
+  return `${protocol}://${req.get("host")}`;
+}
 async function buildAuthPayload(user) {
   const { rows: roleRows } = await pool_default.query("SELECT id, name, permissions FROM plank_roles WHERE id = $1", [user.role_id]);
   let avatarUrl = user.avatar_url;
@@ -2592,6 +2731,12 @@ async function buildAuthPayload(user) {
     }
   };
 }
+async function getAuthFeatures(_req, res) {
+  const mailing = await getMailingSettings();
+  res.json({
+    passwordRecovery: mailing.enabled && Boolean(mailing.host && mailing.user && mailing.password && mailing.fromEmail)
+  });
+}
 async function login(req, res) {
   const ip = req.ip ?? "unknown";
   const parsed = LoginSchema.safeParse(req.body);
@@ -2637,6 +2782,95 @@ async function login(req, res) {
     user: auth.user
   });
 }
+async function requestPasswordReset(req, res) {
+  const ip = req.ip ?? "unknown";
+  const parsed = RequestPasswordResetSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ errors: flattenError(parsed.error, (i2) => i2.message) });
+    return;
+  }
+  const email = parsed.data.email.toLowerCase();
+  const rateKey = `${ip}:${email}`;
+  if (!await consumeRateLimit("password-reset", rateKey, PASSWORD_RESET_RATE_LIMIT_MAX)) {
+    res.status(429).json({ error: "Too many password reset attempts. Try again in 15 minutes." });
+    return;
+  }
+  const mailing = await getMailingSettings();
+  if (!mailing.enabled || !mailing.host || !mailing.user || !mailing.password || !mailing.fromEmail) {
+    res.status(204).end();
+    return;
+  }
+  const { rows } = await pool_default.query(`SELECT id, email, first_name, last_name, enabled
+     FROM plank_users
+     WHERE email = $1`, [email]);
+  const user = rows[0];
+  if (!user || !user.enabled) {
+    res.status(204).end();
+    return;
+  }
+  const token = randomBytes6(32).toString("base64url");
+  const resetUrl = `${adminBaseUrl(req)}/reset-password?token=${encodeURIComponent(token)}`;
+  const expiresAt = new Date(Date.now() + PASSWORD_RESET_EXPIRES_MS);
+  await pool_default.query(`INSERT INTO plank_password_reset_tokens (id, user_id, token_hash, expires_at)
+     VALUES ($1, $2, $3, $4)`, [createId(), user.id, hashToken(token), expiresAt]);
+  const html = renderMailTemplate("password-reset", {
+    subject: "Reset your password",
+    resetUrl,
+    expiresIn: "30 minutes",
+    userName: [user.first_name, user.last_name].filter(Boolean).join(" ") || user.email
+  });
+  await sendMail({
+    to: user.email,
+    subject: "Reset your Plank CMS password",
+    html
+  });
+  await clearRateLimit("password-reset", rateKey);
+  res.status(204).end();
+}
+async function resetPassword(req, res) {
+  const parsed = ResetPasswordSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ errors: flattenError(parsed.error, (i2) => i2.message) });
+    return;
+  }
+  const tokenHash = hashToken(parsed.data.token);
+  const { rows } = await pool_default.query(`SELECT t.id, t.user_id, u.enabled
+     FROM plank_password_reset_tokens t
+     JOIN plank_users u ON u.id = t.user_id
+     WHERE t.token_hash = $1
+       AND t.used_at IS NULL
+       AND t.expires_at > NOW()`, [tokenHash]);
+  const resetToken = rows[0];
+  if (!resetToken || !resetToken.enabled) {
+    res.status(400).json({ error: "Invalid or expired password reset link" });
+    return;
+  }
+  const hashed = await bcrypt.hash(parsed.data.password, 12);
+  const client = await pool_default.connect();
+  try {
+    await client.query("BEGIN");
+    await client.query(`UPDATE plank_users
+       SET password = $1,
+           two_factor_enabled = FALSE,
+           two_factor_secret = NULL,
+           two_factor_temp_secret = NULL,
+           session_version = session_version + 1
+       WHERE id = $2`, [hashed, resetToken.user_id]);
+    await client.query("DELETE FROM plank_user_backup_codes WHERE user_id = $1", [
+      resetToken.user_id
+    ]);
+    await client.query(`UPDATE plank_password_reset_tokens
+       SET used_at = NOW()
+       WHERE user_id = $1 AND used_at IS NULL`, [resetToken.user_id]);
+    await client.query("COMMIT");
+  } catch (err) {
+    await client.query("ROLLBACK");
+    throw err;
+  } finally {
+    client.release();
+  }
+  res.status(204).end();
+}
 async function loginWithTwoFactor(req, res) {
   const ip = req.ip ?? "unknown";
   const parsed = Login2FASchema.safeParse(req.body);
@@ -2762,10 +2996,13 @@ async function register(req, res) {
 // ../core/dist/routes/auth.js
 var router = Router();
 router.get("/setup", setup);
+router.get("/features", getAuthFeatures);
 router.post("/login", login);
 router.post("/login/2fa", loginWithTwoFactor);
 router.post("/logout", logout);
 router.post("/register", register);
+router.post("/password-reset", requestPasswordReset);
+router.post("/password-reset/confirm", resetPassword);
 var auth_default = router;
 
 // ../core/dist/routes/admin.js
@@ -4015,7 +4252,7 @@ var deleteEntry = async (req, res) => {
 
 // ../core/dist/controllers/users.js
 import bcrypt2 from "bcryptjs";
-import { randomBytes as randomBytes6 } from "crypto";
+import { randomBytes as randomBytes7 } from "crypto";
 import { z as z4, flattenError as flattenError4 } from "zod";
 var CreateUserSchema = z4.object({
   email: z4.email(),
@@ -4036,6 +4273,9 @@ var ChangePasswordSchema = z4.object({
   currentPassword: z4.string().min(1),
   newPassword: z4.string().min(8)
 });
+var ResetUserPasswordSchema = z4.object({
+  password: z4.string().min(8)
+});
 var UpdateMeSchema = z4.object({
   firstName: z4.string().max(100).optional(),
   lastName: z4.string().max(100).optional(),
@@ -4057,7 +4297,7 @@ var RegenerateBackupCodesSchema = z4.object({
 var BACKUP_CODE_COUNT = 8;
 var BACKUP_CODE_CHARS = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
 function generateBackupCode() {
-  const bytes = randomBytes6(8);
+  const bytes = randomBytes7(8);
   let raw = "";
   for (let i2 = 0; i2 < 8; i2++) {
     raw += BACKUP_CODE_CHARS[bytes[i2] % BACKUP_CODE_CHARS.length];
@@ -4348,6 +4588,49 @@ async function changePassword(req, res) {
   await pool_default.query("UPDATE plank_users SET password = $1, session_version = session_version + 1 WHERE id = $2", [hashed, req.user.id]);
   res.status(204).end();
 }
+async function resetUserPassword(req, res) {
+  const parsed = ResetUserPasswordSchema.safeParse(req.body);
+  if (!parsed.success) {
+    res.status(400).json({ errors: flattenError4(parsed.error, (i2) => i2.message) });
+    return;
+  }
+  if (req.params.id === req.user.id) {
+    res.status(403).json({ error: "You cannot reset your own password here" });
+    return;
+  }
+  const requesterRoleName = await roleNameById(req.user.roleId);
+  if (requesterRoleName !== "Super Admin") {
+    res.status(403).json({ error: "Only Super Admin can reset user passwords" });
+    return;
+  }
+  const { rows } = await pool_default.query("SELECT id FROM plank_users WHERE id = $1", [
+    req.params.id
+  ]);
+  if (!rows[0]) {
+    res.status(404).json({ error: "User not found" });
+    return;
+  }
+  const hashed = await bcrypt2.hash(parsed.data.password, 12);
+  const client = await pool_default.connect();
+  try {
+    await client.query("BEGIN");
+    await client.query(`UPDATE plank_users
+       SET password = $1,
+           two_factor_enabled = FALSE,
+           two_factor_secret = NULL,
+           two_factor_temp_secret = NULL,
+           session_version = session_version + 1
+       WHERE id = $2`, [hashed, req.params.id]);
+    await client.query("DELETE FROM plank_user_backup_codes WHERE user_id = $1", [req.params.id]);
+    await client.query("COMMIT");
+  } catch (err) {
+    await client.query("ROLLBACK");
+    throw err;
+  } finally {
+    client.release();
+  }
+  res.status(204).end();
+}
 async function createUser(req, res) {
   const parsed = CreateUserSchema.safeParse(req.body);
   if (!parsed.success) {
@@ -4462,8 +4745,8 @@ async function deleteUser(req, res) {
     return;
   }
   const { rows: roleRows } = await pool_default.query("SELECT name FROM plank_roles WHERE id = $1", [rows[0].role_id]);
-  if (roleRows[0]?.name === "Super Admin") {
-    res.status(403).json({ error: "Super Admin users cannot be deleted" });
+  if (roleRows[0]?.name === "Super Admin" && await roleNameById(req.user.roleId) !== "Super Admin") {
+    res.status(403).json({ error: "Only Super Admin can delete Super Admin users" });
     return;
   }
   await pool_default.query("DELETE FROM plank_users WHERE id = $1", [req.params.id]);
@@ -4524,14 +4807,14 @@ async function resetRoles(_req, res) {
 }
 
 // ../core/dist/controllers/apiTokens.js
-import { randomBytes as randomBytes7, createHash } from "crypto";
+import { randomBytes as randomBytes8, createHash as createHash2 } from "crypto";
 import { z as z7, flattenError as flattenError5 } from "zod";
 var CreateTokenSchema = z7.object({
   name: z7.string().min(1),
   accessType: z7.enum(["read-only", "full-access", "mcp-server"])
 });
-function hashToken(token) {
-  return createHash("sha256").update(token).digest("hex");
+function hashToken2(token) {
+  return createHash2("sha256").update(token).digest("hex");
 }
 async function listApiTokens(_req, res) {
   const { rows } = await pool_default.query("SELECT id, name, access_type, created_at FROM plank_api_tokens ORDER BY created_at DESC");
@@ -4545,8 +4828,8 @@ async function createApiToken(req, res) {
   }
   const { name, accessType } = parsed.data;
   const id = createId();
-  const token = `plank_${randomBytes7(32).toString("hex")}`;
-  const hashed = hashToken(token);
+  const token = `plank_${randomBytes8(32).toString("hex")}`;
+  const hashed = hashToken2(token);
   await pool_default.query("INSERT INTO plank_api_tokens (id, name, token, access_type, created_by) VALUES ($1, $2, $3, $4, $5)", [id, name, hashed, accessType, req.user.id]);
   res.status(201).json({ id, name, accessType, token });
 }
@@ -4560,7 +4843,7 @@ async function deleteApiToken(req, res) {
 }
 
 // ../core/dist/controllers/media.js
-import { randomBytes as randomBytes8 } from "crypto";
+import { randomBytes as randomBytes9 } from "crypto";
 var MEDIA_PREFIX = "media";
 function buildDefaultAlt(filename) {
   const baseName = filename.split("/").pop() ?? filename;
@@ -4641,7 +4924,7 @@ async function uploadMedia(req, res) {
       res.status(400).json({ error: "No .m3u8 file found in bundle" });
       return;
     }
-    const bundleId = randomBytes8(8).toString("hex");
+    const bundleId = randomBytes9(8).toString("hex");
     const prefix = [MEDIA_PREFIX, folderId, bundleId].filter(Boolean).join("/");
     const rootDir = m3u8File.originalname.includes("/") ? m3u8File.originalname.split("/")[0] : null;
     const stripRoot = (path) => rootDir && path.startsWith(`${rootDir}/`) ? path.slice(rootDir.length + 1) : path;
@@ -4867,7 +5150,8 @@ async function deleteFolder(req, res) {
 
 // ../core/dist/controllers/settings.js
 var SENSITIVE_FIELDS2 = {
-  media: /* @__PURE__ */ new Set(["s3.secret_access_key", "r2.secret_access_key"])
+  media: /* @__PURE__ */ new Set(["s3.secret_access_key", "r2.secret_access_key"]),
+  mailing: /* @__PURE__ */ new Set(["smtp.password"])
 };
 var MASKED = "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
 function maskSettings(namespace, settings) {
@@ -4940,8 +5224,8 @@ async function updateNamespaceSettings(req, res) {
 
 // ../core/dist/lib/version.js
 import { readFile as readFile2 } from "fs/promises";
-import { join as join4 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
+import { join as join5 } from "path";
+import { fileURLToPath as fileURLToPath3 } from "url";
 var PACKAGE_NAME = "@plank-cms/plank";
 var CHANGELOG_BASE_URL = "https://github.com/plank-cms/plank/releases";
 var REGISTRY_URL = `https://registry.npmjs.org/${encodeURIComponent(PACKAGE_NAME)}/latest`;
@@ -4976,7 +5260,7 @@ function getUpdateCommandForPackageManager(packageManager) {
 }
 async function detectProjectPackageManager() {
   try {
-    const raw = await readFile2(join4(process.cwd(), "package.json"), "utf8");
+    const raw = await readFile2(join5(process.cwd(), "package.json"), "utf8");
     const parsed = JSON.parse(raw);
     if (parsed.packageManager?.startsWith("pnpm@") || parsed.packageManager === "pnpm") {
       return "pnpm";
@@ -4991,7 +5275,7 @@ async function detectProjectPackageManager() {
 }
 async function hasLockfile(filename) {
   try {
-    await readFile2(join4(process.cwd(), filename), "utf8");
+    await readFile2(join5(process.cwd(), filename), "utf8");
     return true;
   } catch {
     return false;
@@ -5009,7 +5293,7 @@ async function detectPackageManagerFromLockfiles() {
 async function getCurrentVersion() {
   for (const packageJsonUrl of packageJsonUrls) {
     try {
-      const packageJsonPath = fileURLToPath2(packageJsonUrl);
+      const packageJsonPath = fileURLToPath3(packageJsonUrl);
       const raw = await readFile2(packageJsonPath, "utf8");
       const parsed = JSON.parse(raw);
       if (parsed.version) {
@@ -5070,12 +5354,12 @@ import { z as z9 } from "zod";
 // ../core/dist/lib/addons.js
 import { access, readFile as readFile3 } from "fs/promises";
 import { createRequire } from "module";
-import { dirname as dirname2, join as join5, resolve } from "path";
-import { fileURLToPath as fileURLToPath3 } from "url";
+import { dirname as dirname3, join as join6, resolve } from "path";
+import { fileURLToPath as fileURLToPath4 } from "url";
 import { z as z8 } from "zod";
 var ADDON_PACKAGE_PREFIX = "@plank-cms/addon-";
 function getHostRequire() {
-  return createRequire(join5(process.cwd(), "package.json"));
+  return createRequire(join6(process.cwd(), "package.json"));
 }
 var addonSlotSchema = z8.object({
   id: z8.string().min(1),
@@ -5170,13 +5454,13 @@ async function resolvePackageJsonPath(packageName) {
   } catch {
     try {
       const entryPath = hostRequire.resolve(packageName);
-      let currentDir = dirname2(entryPath);
+      let currentDir = dirname3(entryPath);
       for (; ; ) {
-        const candidate = join5(currentDir, "package.json");
+        const candidate = join6(currentDir, "package.json");
         if (await pathExists(candidate)) {
           return candidate;
         }
-        const parentDir = dirname2(currentDir);
+        const parentDir = dirname3(currentDir);
         if (parentDir === currentDir)
           return null;
         currentDir = parentDir;
@@ -5189,16 +5473,16 @@ async function resolvePackageJsonPath(packageName) {
 async function resolvePackageRoot(packageName) {
   const packageJsonPath = await resolvePackageJsonPath(packageName);
   if (packageJsonPath)
-    return dirname2(packageJsonPath);
+    return dirname3(packageJsonPath);
   try {
     const manifestUrl = import.meta.resolve(`${packageName}/plank`);
-    let currentDir = dirname2(fileURLToPath3(manifestUrl));
+    let currentDir = dirname3(fileURLToPath4(manifestUrl));
     for (; ; ) {
-      const candidate = join5(currentDir, "package.json");
+      const candidate = join6(currentDir, "package.json");
       if (await pathExists(candidate)) {
         return currentDir;
       }
-      const parentDir = dirname2(currentDir);
+      const parentDir = dirname3(currentDir);
       if (parentDir === currentDir)
         return null;
       currentDir = parentDir;
@@ -5219,7 +5503,7 @@ async function readInstalledPackageJson(packageName) {
   }
 }
 async function readHostPackageJson() {
-  const raw = await readFile3(join5(process.cwd(), "package.json"), "utf8");
+  const raw = await readFile3(join6(process.cwd(), "package.json"), "utf8");
   return JSON.parse(raw);
 }
 function listDeclaredAddonPackages(packageJson) {
@@ -5792,6 +6076,7 @@ router2.post("/roles/reset", authorize("settings:roles:write"), resetRoles);
 router2.get("/users", authorize("settings:users:read"), listUsers);
 router2.post("/users", authorize("settings:users:write"), createUser);
 router2.put("/users/:id", authorize("settings:users:write"), updateUser);
+router2.post("/users/:id/password/reset", authorize("settings:users:write"), resetUserPassword);
 router2.delete("/users/:id", authorize("settings:users:delete"), deleteUser);
 router2.get("/api-tokens", authorize("settings:api-tokens:read"), listApiTokens);
 router2.post("/api-tokens", authorize("settings:api-tokens:write"), createApiToken);
@@ -5832,7 +6117,7 @@ var admin_default = router2;
 import { Router as Router3 } from "express";
 
 // ../core/dist/middlewares/apiToken.js
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash3 } from "crypto";
 var READ_ONLY_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
 var PUBLIC_API_ACCESS_TYPES = /* @__PURE__ */ new Set(["read-only", "full-access"]);
 var MCP_ACCESS_TYPES = /* @__PURE__ */ new Set(["mcp-server"]);
@@ -5843,7 +6128,7 @@ async function enforceApiToken(req, res, next, allowedAccessTypes) {
     return;
   }
   const raw = header.slice(7);
-  const hashed = createHash2("sha256").update(raw).digest("hex");
+  const hashed = createHash3("sha256").update(raw).digest("hex");
   const { rows } = await pool_default.query("SELECT id, access_type FROM plank_api_tokens WHERE token = $1", [hashed]);
   if (!rows[0]) {
     res.status(401).json({ error: "Invalid API token" });
@@ -6821,11 +7106,11 @@ if (isDev) {
   app.get("/admin/*path", (_req, res) => res.redirect(adminDevUrl));
   app.get("/admin", (_req, res) => res.redirect(adminDevUrl));
 } else {
-  const adminDist = process.env.PLANK_ADMIN_DIST ?? join6(dirname3(fileURLToPath4(import.meta.url)), "../public/admin");
+  const adminDist = process.env.PLANK_ADMIN_DIST ?? join7(dirname4(fileURLToPath5(import.meta.url)), "../public/admin");
   app.use("/admin", express.static(adminDist));
   app.get("/admin/*path", async (_req, res) => {
     try {
-      const source = await readFile5(join6(adminDist, "index.html"), "utf8");
+      const source = await readFile5(join7(adminDist, "index.html"), "utf8");
       res.type("text/html");
       res.send(source);
     } catch {