@sonicjs-cms/core 2.19.0 → 3.0.0-beta.11

package/dist/chunk-QLFTG3QJ.js

@@ -0,0 +1,1828 @@
+import { getTelemetryConfig, sanitizeErrorMessage, sanitizeRoute, generateInstallationId, generateProjectId } from './chunk-X7ZAEI5S.js';
+import { escapeHtml } from './chunk-TQABQWOP.js';
+import { getCookie } from 'hono/cookie';
+
+// src/services/collection-registry.ts
+var CollectionRegistry = class {
+  byName = /* @__PURE__ */ new Map();
+  bySlug = /* @__PURE__ */ new Map();
+  /**
+   * Replace the registry contents with the given configs. Idempotent —
+   * calling with the same configs twice yields the same state.
+   */
+  register(configs) {
+    this.byName.clear();
+    this.bySlug.clear();
+    for (const config of configs) {
+      if (!config.name) continue;
+      const record = {
+        ...config,
+        id: config.name,
+        slug: config.slug ?? config.name.replace(/_/g, "-"),
+        managed: config.managed !== void 0 ? config.managed : true,
+        isActive: config.isActive !== void 0 ? config.isActive : true
+      };
+      this.byName.set(record.name, record);
+      this.bySlug.set(record.slug, record);
+    }
+  }
+  /** All registered collections (including inactive). */
+  list() {
+    return Array.from(this.byName.values());
+  }
+  /** Active collections only. */
+  listActive() {
+    return this.list().filter((c) => c.isActive !== false);
+  }
+  getByName(name) {
+    return this.byName.get(name);
+  }
+  /** For code-defined collections, id === name. */
+  getById(id) {
+    return this.byName.get(id);
+  }
+  /** Look up by the URL slug (set in CollectionConfig.slug). Falls back to getByName if needed. */
+  getBySlug(slug) {
+    return this.bySlug.get(slug);
+  }
+  /** Resolve a path segment to a record — tries slug first, then name. */
+  getBySlugOrName(slugOrName) {
+    return this.bySlug.get(slugOrName) ?? this.byName.get(slugOrName);
+  }
+  isActive(name) {
+    const record = this.byName.get(name);
+    return record?.isActive !== false && record !== void 0;
+  }
+  size() {
+    return this.byName.size;
+  }
+  /** Test helper — wipe state. */
+  clear() {
+    this.byName.clear();
+    this.bySlug.clear();
+  }
+};
+function collectionRecordToRow(record) {
+  return {
+    id: record.id,
+    name: record.name,
+    display_name: record.displayName,
+    description: record.description ?? null,
+    schema: record.schema,
+    is_active: record.isActive === false ? 0 : 1,
+    managed: record.managed === false ? 0 : 1,
+    source_type: "code",
+    source_id: null,
+    created_at: 0,
+    updated_at: 0
+  };
+}
+var instance = null;
+function getCollectionRegistry() {
+  if (!instance) {
+    instance = new CollectionRegistry();
+  }
+  return instance;
+}
+function resetCollectionRegistry() {
+  instance = null;
+}
+
+// src/services/collection-loader.ts
+function isCodeCollectionInternal(cfg) {
+  return cfg.internal === true;
+}
+function isDbDocTypeInternal(source) {
+  return source === "system" || source === "plugin";
+}
+async function getVisibleCollections(db) {
+  const codeRegistry = getCollectionRegistry().list();
+  const codeMap = /* @__PURE__ */ new Map();
+  for (const cfg of codeRegistry) {
+    if (!isCodeCollectionInternal(cfg)) {
+      codeMap.set(cfg.name, { name: cfg.name, displayName: cfg.displayName });
+    }
+  }
+  let dbRows = [];
+  try {
+    const { results } = await db.prepare(
+      "SELECT name, display_name, source FROM document_types WHERE is_active = 1 ORDER BY display_name"
+    ).all();
+    dbRows = results ?? [];
+  } catch {
+  }
+  const merged = new Map(codeMap);
+  for (const row of dbRows) {
+    if (!isDbDocTypeInternal(row.source) && !merged.has(row.name)) {
+      merged.set(row.name, { name: String(row.name), displayName: String(row.display_name) });
+    }
+  }
+  return Array.from(merged.values());
+}
+var registeredCollections = [];
+function registerCollections(collections) {
+  for (const config of collections) {
+    if (!config.name || !config.displayName || !config.schema) {
+      console.error(`Invalid collection config: missing required fields`, config);
+      continue;
+    }
+    const normalizedConfig = {
+      ...config,
+      managed: config.managed !== void 0 ? config.managed : true,
+      isActive: config.isActive !== void 0 ? config.isActive : true
+    };
+    registeredCollections.push(normalizedConfig);
+    console.log(`\u2713 Registered collection: ${config.name}`);
+  }
+}
+async function loadCollectionConfigs() {
+  const collections = [...registeredCollections];
+  if (registeredCollections.length > 0) {
+    console.log(`\u{1F4E6} Found ${registeredCollections.length} registered collection(s) from application`);
+  } else {
+    console.log(`\u26A0\uFE0F  No collections registered. Make sure to call registerCollections() in your app's index.ts`);
+    console.log(`   Example: import myCollection from './collections/my-collection.collection'`);
+    console.log(`            registerCollections([myCollection])`);
+  }
+  try {
+    const modules = import.meta.glob?.("../collections/*.collection.ts", { eager: true }) || {};
+    let coreCollectionCount = 0;
+    for (const [path, module] of Object.entries(modules)) {
+      try {
+        const configModule = module;
+        if (!configModule.default) {
+          console.warn(`Collection file ${path} does not export a default config`);
+          continue;
+        }
+        const config = configModule.default;
+        if (!config.name || !config.displayName || !config.schema) {
+          console.error(`Invalid collection config in ${path}: missing required fields`);
+          continue;
+        }
+        const normalizedConfig = {
+          ...config,
+          managed: config.managed !== void 0 ? config.managed : true,
+          isActive: config.isActive !== void 0 ? config.isActive : true
+        };
+        collections.push(normalizedConfig);
+        coreCollectionCount++;
+        console.log(`\u2713 Loaded core collection: ${config.name}`);
+      } catch (error) {
+        console.error(`Error loading collection from ${path}:`, error);
+      }
+    }
+    console.log(`\u{1F4CA} Collection summary: ${collections.length} total (${registeredCollections.length} from app, ${coreCollectionCount} from core)`);
+    return collections;
+  } catch (error) {
+    console.error("Error loading collection configurations:", error);
+    return collections;
+  }
+}
+async function loadCollectionConfig(name) {
+  try {
+    console.warn("loadCollectionConfig requires implementation in consuming application");
+    return null;
+  } catch (error) {
+    console.error(`Error loading collection ${name}:`, error);
+    return null;
+  }
+}
+async function getAvailableCollectionNames() {
+  try {
+    const modules = import.meta.glob?.("../collections/*.collection.ts") || {};
+    const names = [];
+    for (const path of Object.keys(modules)) {
+      const match = path.match(/\/([^/]+)\.collection\.ts$/);
+      if (match && match[1]) {
+        names.push(match[1]);
+      }
+    }
+    return names;
+  } catch (error) {
+    console.error("Error getting collection names:", error);
+    return [];
+  }
+}
+function validateCollectionConfig(config) {
+  const errors = [];
+  if (!config.name) {
+    errors.push("Collection name is required");
+  } else if (!/^[a-z0-9_-]+$/.test(config.name)) {
+    errors.push("Collection name must contain only lowercase letters, numbers, underscores, and hyphens");
+  }
+  if (!config.displayName) {
+    errors.push("Display name is required");
+  }
+  if (!config.schema) {
+    errors.push("Schema is required");
+  } else {
+    if (config.schema.type !== "object") {
+      errors.push('Schema type must be "object"');
+    }
+    if (!config.schema.properties || typeof config.schema.properties !== "object") {
+      errors.push("Schema must have properties");
+    }
+    for (const [fieldName, fieldConfig] of Object.entries(config.schema.properties || {})) {
+      if (!fieldConfig.type) {
+        errors.push(`Field "${fieldName}" is missing type`);
+      }
+      if (fieldConfig.type === "reference" && !fieldConfig.collection) {
+        errors.push(`Reference field "${fieldName}" is missing collection property`);
+      }
+      const layoutValue = fieldConfig.objectLayout;
+      if (layoutValue !== void 0) {
+        if (fieldConfig.type !== "object") {
+          errors.push(`Field "${fieldName}" uses objectLayout but is not an object field`);
+        } else if (!["nested", "flat"].includes(layoutValue)) {
+          errors.push(`Object field "${fieldName}" has invalid objectLayout. Use "nested" or "flat"`);
+        }
+      }
+      if (["select", "multiselect", "radio"].includes(fieldConfig.type) && !fieldConfig.enum) {
+        errors.push(`Select field "${fieldName}" is missing enum options`);
+      }
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+var TENANT_COOKIE = "sonicjs-tenant";
+var TENANT_SWITCHER_MARKER = "<!-- TENANT_SWITCHER -->";
+var MULTI_TENANT_PLUGIN_ID = "multi-tenant";
+var CACHE_TTL_MS = 3e4;
+var DEFAULT_SETTINGS = {
+  headerName: "X-Tenant-Id",
+  subdomainResolution: false,
+  rootDomain: ""
+};
+var cache = null;
+function invalidateTenantCache() {
+  cache = null;
+}
+async function loadTenantState(db) {
+  const now = Date.now();
+  if (cache && now - cache.fetchedAt < CACHE_TTL_MS) return cache;
+  let pluginActive = false;
+  let settings = DEFAULT_SETTINGS;
+  const tenants = /* @__PURE__ */ new Map();
+  const domains = /* @__PURE__ */ new Map();
+  try {
+    const pluginRow = await db.prepare(
+      `SELECT data FROM documents
+       WHERE type_id = 'plugin' AND tenant_id = 'default' AND slug = ?
+         AND q_plugin_status = 'active' AND is_current_draft = 1 AND deleted_at IS NULL`
+    ).bind(MULTI_TENANT_PLUGIN_ID).first();
+    if (pluginRow) {
+      pluginActive = true;
+      try {
+        const data = typeof pluginRow.data === "string" ? JSON.parse(pluginRow.data) : pluginRow.data ?? {};
+        const s = data.settings ?? {};
+        settings = {
+          headerName: typeof s.headerName === "string" && s.headerName.trim() !== "" ? s.headerName.trim() : DEFAULT_SETTINGS.headerName,
+          subdomainResolution: s.subdomainResolution === true,
+          rootDomain: typeof s.rootDomain === "string" ? s.rootDomain.trim().toLowerCase() : ""
+        };
+      } catch {
+        settings = DEFAULT_SETTINGS;
+      }
+      const { results } = await db.prepare(
+        `SELECT slug, name, status, domain FROM auth_tenant`
+      ).all();
+      for (const row of results ?? []) {
+        const status = row.status === "inactive" ? "inactive" : "active";
+        tenants.set(row.slug, { name: row.name || row.slug, status });
+        if (row.domain && status === "active") {
+          domains.set(String(row.domain).toLowerCase(), row.slug);
+        }
+      }
+      if (!tenants.has("default")) tenants.set("default", { name: "Default", status: "active" });
+    }
+  } catch {
+    pluginActive = false;
+  }
+  cache = { pluginActive, settings, tenants, domains, fetchedAt: now };
+  return cache;
+}
+function isActiveTenant(state, slug) {
+  if (!slug) return false;
+  const entry = state.tenants.get(slug);
+  return !!entry && entry.status === "active";
+}
+function resolveTenantSlug(state, req, opts) {
+  if (!state.pluginActive) return "default";
+  const full = state;
+  const enforce = opts?.enforceMembership === true;
+  const member = (slug) => !enforce || slug === "default" || (opts?.memberSlugs?.has(slug) ?? false);
+  const accept = (slug) => isActiveTenant(full, slug) && member(slug);
+  const header = req.header?.trim().toLowerCase();
+  if (accept(header)) return header;
+  const cookie = req.cookie?.trim().toLowerCase();
+  if (accept(cookie)) return cookie;
+  const host = req.host?.split(":")[0]?.toLowerCase() ?? "";
+  if (host) {
+    const bySlug = state.domains.get(host);
+    if (accept(bySlug)) return bySlug;
+    const { subdomainResolution, rootDomain } = state.settings;
+    if (subdomainResolution && rootDomain && host.endsWith(`.${rootDomain}`)) {
+      const sub = host.slice(0, -(rootDomain.length + 1));
+      if (sub && !sub.includes(".") && accept(sub)) return sub;
+    }
+  }
+  return "default";
+}
+async function loadMemberRoles(db, userId) {
+  try {
+    const { results } = await db.prepare(`
+      SELECT t.slug, m.role FROM auth_tenant_member m
+      JOIN auth_tenant t ON t.id = m.tenant_id
+      WHERE m.user_id = ?
+    `).bind(userId).all();
+    return new Map((results ?? []).map((r) => [r.slug, r.role || "viewer"]));
+  } catch {
+    return /* @__PURE__ */ new Map();
+  }
+}
+function tenantMiddleware() {
+  return async (c, next) => {
+    const db = c.env?.DB;
+    if (!db) {
+      c.set("tenantId", "default");
+      return next();
+    }
+    const state = await loadTenantState(db);
+    const user = c.get("user");
+    let memberSlugs;
+    let memberRoles;
+    const enforceMembership = !!(user?.userId && state.pluginActive && !user.isSuperAdmin);
+    if (user?.userId && state.pluginActive && !user.isSuperAdmin) {
+      memberRoles = await loadMemberRoles(db, user.userId);
+      memberSlugs = new Set(memberRoles.keys());
+    }
+    const tenantId = resolveTenantSlug(
+      state,
+      {
+        header: c.req.header(state.settings.headerName),
+        cookie: getCookie(c, TENANT_COOKIE),
+        host: c.req.header("host")
+      },
+      { memberSlugs, enforceMembership }
+    );
+    c.set("tenantId", tenantId);
+    if (user?.userId) {
+      const role = tenantId === "default" || user.isSuperAdmin ? user.role : memberRoles?.get(tenantId) ?? user.role;
+      c.set("tenantRole", role);
+    }
+    await next();
+    const path = new URL(c.req.url).pathname;
+    if (!path.startsWith("/admin")) return;
+    if (!c.res.headers.get("content-type")?.includes("text/html")) return;
+    const status = c.res.status;
+    const headers = new Headers(c.res.headers);
+    const html = await c.res.text();
+    if (html.includes(TENANT_SWITCHER_MARKER)) {
+      const replacement = state.pluginActive ? renderTenantSwitcher(state, tenantId, enforceMembership ? memberSlugs : void 0) : "";
+      c.res = new Response(html.split(TENANT_SWITCHER_MARKER).join(replacement), { status, headers });
+    } else {
+      c.res = new Response(html, { status, headers });
+    }
+  };
+}
+function renderTenantSwitcher(state, currentTenantId, memberSlugs) {
+  const active = [...state.tenants.entries()].filter(([slug, t]) => t.status === "active" && (!memberSlugs || slug === "default" || memberSlugs.has(slug))).sort(([a], [b]) => a === "default" ? -1 : b === "default" ? 1 : a.localeCompare(b));
+  const options = active.map(
+    ([slug, t]) => `<option value="${escapeHtml(slug)}" ${slug === currentTenantId ? "selected" : ""}>${escapeHtml(t.name)}</option>`
+  ).join("");
+  return `
+    <div class="border-b border-zinc-950/5 px-4 py-3 dark:border-white/5" data-tenant-switcher>
+      <label for="tenant-switcher-select" class="mb-1 flex items-center gap-1.5 text-xs/5 font-medium text-zinc-500 dark:text-zinc-400">
+        <svg class="h-3.5 w-3.5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3.75 21h16.5M4.5 3h15M5.25 3v18m13.5-18v18M9 6.75h1.5m-1.5 3h1.5m-1.5 3h1.5m3-6H15m-1.5 3H15m-1.5 3H15M9 21v-3.375c0-.621.504-1.125 1.125-1.125h3.75c.621 0 1.125.504 1.125 1.125V21"/></svg>
+        Tenant
+      </label>
+      <form method="POST" action="/admin/tenants/switch" data-tenant-switcher-form>
+        <select
+          id="tenant-switcher-select"
+          name="tenant"
+          onchange="this.form.requestSubmit ? this.form.requestSubmit() : this.form.submit()"
+          class="w-full rounded-lg border border-zinc-950/10 bg-white px-2 py-1.5 text-sm/5 text-zinc-950 dark:border-white/10 dark:bg-zinc-800 dark:text-white"
+        >${options}</select>
+        <input type="hidden" name="redirect" value="" data-tenant-switcher-redirect>
+      </form>
+      <script>
+        (function () {
+          var r = document.querySelector('[data-tenant-switcher-redirect]');
+          if (r) r.value = window.location.pathname + window.location.search;
+        })();
+      </script>
+    </div>`;
+}
+
+// src/services/plugin-service.ts
+var TENANT = "default";
+var TYPE_ID = "plugin";
+var PluginService = class {
+  constructor(db) {
+    this.db = db;
+  }
+  async getAllPlugins() {
+    const { results } = await this.db.prepare(`
+      SELECT * FROM documents
+      WHERE type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+      ORDER BY json_extract(data, '$.isCore') DESC, title ASC
+    `).bind(TYPE_ID, TENANT).all();
+    return (results || []).map(mapDocumentToPlugin);
+  }
+  async getPlugin(pluginId) {
+    const row = await this.db.prepare(`
+      SELECT * FROM documents
+      WHERE slug = ? AND type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+    `).bind(pluginId, TYPE_ID, TENANT).first();
+    if (!row) return null;
+    return mapDocumentToPlugin(row);
+  }
+  async getPluginByName(name) {
+    return this.getPlugin(name);
+  }
+  async getPluginStats() {
+    const stats = await this.db.prepare(`
+      SELECT
+        COUNT(*) as total,
+        COUNT(CASE WHEN q_plugin_status = 'active' THEN 1 END) as active,
+        COUNT(CASE WHEN q_plugin_status = 'inactive' THEN 1 END) as inactive,
+        COUNT(CASE WHEN q_plugin_status = 'error' THEN 1 END) as errors
+      FROM documents
+      WHERE type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+    `).bind(TYPE_ID, TENANT).first();
+    return {
+      total: stats?.total || 0,
+      active: stats?.active || 0,
+      inactive: stats?.inactive || 0,
+      errors: stats?.errors || 0,
+      uninstalled: 0
+    };
+  }
+  async installPlugin(pluginData) {
+    const slug = pluginData.id || pluginData.name || `plugin-${Date.now()}`;
+    const docId = crypto.randomUUID();
+    const now = Math.floor(Date.now() / 1e3);
+    const data = JSON.stringify({
+      name: slug,
+      displayName: pluginData.display_name || "Unnamed Plugin",
+      description: pluginData.description || "",
+      version: pluginData.version || "1.0.0",
+      author: pluginData.author || "Unknown",
+      category: pluginData.category || "utilities",
+      icon: pluginData.icon || "\u{1F50C}",
+      status: "active",
+      isCore: pluginData.is_core || false,
+      settings: pluginData.settings || {},
+      permissions: pluginData.permissions || [],
+      dependencies: pluginData.dependencies || [],
+      downloadCount: pluginData.download_count || 0,
+      rating: pluginData.rating || 0
+    });
+    await this.db.prepare(`
+      INSERT INTO documents (
+        id, root_id, type_id, version_number, is_current_draft, is_published, status,
+        parent_root_id, slug, title, tenant_id, locale, translation_group_id,
+        data, metadata, created_at, updated_at
+      ) VALUES (
+        ?, ?, ?, 1, 1, 1, 'published',
+        '', ?, ?, ?, 'default', '',
+        ?, '{}', ?, ?
+      )
+    `).bind(
+      docId,
+      docId,
+      TYPE_ID,
+      slug,
+      pluginData.display_name || "Unnamed Plugin",
+      TENANT,
+      data,
+      now,
+      now
+    ).run();
+    await this.logActivity(slug, "installed", null, { version: pluginData.version });
+    await this.logActivity(slug, "activated", null);
+    const installed = await this.getPlugin(slug);
+    if (!installed) throw new Error("Failed to install plugin");
+    return installed;
+  }
+  /**
+   * Ensure a definePlugin-registered plugin exists in the DB with active status.
+   * No-op if already present. Used by admin routes to auto-register SDK plugins
+   * that have never been explicitly installed.
+   */
+  async ensurePlugin(id, data) {
+    const existing = await this.getPlugin(id);
+    if (existing) return existing;
+    return this.installPlugin({
+      id,
+      name: id,
+      display_name: data.displayName || id,
+      description: data.description || "",
+      author: data.author || "",
+      version: data.version || "1.0.0"
+    });
+  }
+  async uninstallPlugin(pluginId) {
+    const plugin = await this.getPlugin(pluginId);
+    if (!plugin) throw new Error("Plugin not found");
+    if (plugin.is_core) throw new Error("Cannot uninstall core plugins");
+    if (plugin.status === "active") await this.deactivatePlugin(pluginId);
+    const now = Math.floor(Date.now() / 1e3);
+    await this.db.prepare(`
+      UPDATE documents
+      SET deleted_at = ?, updated_at = ?, is_current_draft = 0, is_published = 0
+      WHERE slug = ? AND type_id = ? AND tenant_id = ? AND is_current_draft = 1
+    `).bind(now, now, pluginId, TYPE_ID, TENANT).run();
+    await this.logActivity(pluginId, "uninstalled", null, { name: plugin.name });
+  }
+  async activatePlugin(pluginId) {
+    const plugin = await this.getPlugin(pluginId);
+    if (!plugin) throw new Error("Plugin not found");
+    if (plugin.dependencies && plugin.dependencies.length > 0) {
+      await this.checkDependencies(plugin.dependencies);
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    await this.db.prepare(`
+      UPDATE documents
+      SET data = json_set(data, '$.status', 'active', '$.activatedAt', ?, '$.errorMessage', null),
+          updated_at = ?
+      WHERE slug = ? AND type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+    `).bind(now, now, pluginId, TYPE_ID, TENANT).run();
+    await this.db.prepare(`UPDATE plugins SET status = 'active' WHERE id = ?`).bind(pluginId).run().catch(() => {
+    });
+    invalidateTenantCache();
+    await this.logActivity(pluginId, "activated", null);
+  }
+  async deactivatePlugin(pluginId) {
+    const plugin = await this.getPlugin(pluginId);
+    if (!plugin) throw new Error("Plugin not found");
+    await this.checkDependents(plugin.name);
+    const now = Math.floor(Date.now() / 1e3);
+    await this.db.prepare(`
+      UPDATE documents
+      SET data = json_set(data, '$.status', 'inactive', '$.activatedAt', null),
+          updated_at = ?
+      WHERE slug = ? AND type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+    `).bind(now, pluginId, TYPE_ID, TENANT).run();
+    await this.db.prepare(`UPDATE plugins SET status = 'inactive' WHERE id = ?`).bind(pluginId).run().catch(() => {
+    });
+    invalidateTenantCache();
+    await this.logActivity(pluginId, "deactivated", null);
+  }
+  async updatePluginSettings(pluginId, settings) {
+    const plugin = await this.getPlugin(pluginId);
+    if (!plugin) throw new Error("Plugin not found");
+    const now = Math.floor(Date.now() / 1e3);
+    await this.db.prepare(`
+      UPDATE documents
+      SET data = json_set(data, '$.settings', json(?)), updated_at = ?
+      WHERE slug = ? AND type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+    `).bind(JSON.stringify(settings), now, pluginId, TYPE_ID, TENANT).run();
+    invalidateTenantCache();
+    await this.logActivity(pluginId, "settings_updated", null);
+  }
+  async updatePluginVersion(pluginId, patch) {
+    const now = Math.floor(Date.now() / 1e3);
+    await this.db.prepare(`
+      UPDATE documents
+      SET data = json_set(data,
+            '$.version', ?,
+            '$.description', ?,
+            '$.permissions', json(?),
+            '$.settings', json(?)
+          ),
+          updated_at = ?
+      WHERE slug = ? AND type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+    `).bind(
+      patch.version,
+      patch.description,
+      JSON.stringify(patch.permissions),
+      JSON.stringify(patch.settings || {}),
+      now,
+      pluginId,
+      TYPE_ID,
+      TENANT
+    ).run();
+  }
+  async setPluginError(pluginId, error) {
+    const now = Math.floor(Date.now() / 1e3);
+    await this.db.prepare(`
+      UPDATE documents
+      SET data = json_set(data, '$.status', 'error', '$.errorMessage', ?),
+          updated_at = ?
+      WHERE slug = ? AND type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+    `).bind(error, now, pluginId, TYPE_ID, TENANT).run();
+    await this.logActivity(pluginId, "error", null, { error });
+  }
+  async getPluginActivity(pluginId, limit = 10) {
+    try {
+      const { results } = await this.db.prepare(`
+        SELECT id, data, created_at FROM documents
+        WHERE type_id = 'plugin_activity'
+          AND tenant_id = ?
+          AND is_current_draft = 1
+          AND deleted_at IS NULL
+          AND json_extract(data, '$.pluginId') = ?
+        ORDER BY created_at DESC
+        LIMIT ?
+      `).bind(TENANT, pluginId, limit).all();
+      return (results || []).map((row) => {
+        const d = typeof row.data === "string" ? JSON.parse(row.data) : row.data || {};
+        return {
+          id: row.id,
+          action: d.action,
+          userId: d.userId || null,
+          details: d.details || null,
+          timestamp: row.created_at
+        };
+      });
+    } catch {
+      return [];
+    }
+  }
+  async registerHook(pluginId, hookName, handlerName, priority = 10) {
+    const id = `hook-${Date.now()}`;
+    await this.db.prepare(`
+      INSERT INTO plugin_hooks (id, plugin_id, hook_name, handler_name, priority)
+      VALUES (?, ?, ?, ?, ?)
+    `).bind(id, pluginId, hookName, handlerName, priority).run();
+  }
+  async registerRoute(pluginId, path, method, handlerName, middleware) {
+    const id = `route-${Date.now()}`;
+    await this.db.prepare(`
+      INSERT INTO plugin_routes (id, plugin_id, path, method, handler_name, middleware)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `).bind(id, pluginId, path, method, handlerName, JSON.stringify(middleware || [])).run();
+  }
+  async getPluginHooks(pluginId) {
+    const { results } = await this.db.prepare(`
+      SELECT * FROM plugin_hooks WHERE plugin_id = ? AND is_active = TRUE ORDER BY priority ASC
+    `).bind(pluginId).all();
+    return results || [];
+  }
+  async getPluginRoutes(pluginId) {
+    const { results } = await this.db.prepare(`
+      SELECT * FROM plugin_routes WHERE plugin_id = ? AND is_active = TRUE
+    `).bind(pluginId).all();
+    return results || [];
+  }
+  async checkDependencies(dependencies) {
+    for (const dep of dependencies) {
+      const plugin = await this.getPluginByName(dep);
+      if (!plugin || plugin.status !== "active") {
+        throw new Error(`Required dependency '${dep}' is not active`);
+      }
+    }
+  }
+  async checkDependents(pluginName) {
+    const { results } = await this.db.prepare(`
+      SELECT slug, title FROM documents
+      WHERE type_id = ? AND tenant_id = ? AND is_current_draft = 1 AND deleted_at IS NULL
+        AND q_plugin_status = 'active'
+        AND json_extract(data, '$.dependencies') LIKE ?
+    `).bind(TYPE_ID, TENANT, `%"${pluginName}"%`).all();
+    if (results && results.length > 0) {
+      const names = results.map((p) => p.title || p.slug).join(", ");
+      throw new Error(`Cannot deactivate. The following plugins depend on this one: ${names}`);
+    }
+  }
+  async logActivity(pluginId, action, userId, details) {
+    try {
+      const docId = crypto.randomUUID();
+      const now = Math.floor(Date.now() / 1e3);
+      const data = JSON.stringify({ pluginId, action, userId, details: details || null });
+      await this.db.prepare(`
+        INSERT INTO documents (
+          id, root_id, type_id, version_number, is_current_draft, is_published, status,
+          parent_root_id, slug, title, tenant_id, locale, translation_group_id,
+          data, metadata, created_at, updated_at
+        ) VALUES (
+          ?, ?, 'plugin_activity', 1, 1, 1, 'published',
+          '', ?, ?, 'default', 'default', '',
+          ?, '{}', ?, ?
+        )
+      `).bind(docId, docId, docId, action, data, now, now).run();
+    } catch {
+    }
+  }
+};
+function mapDocumentToPlugin(row) {
+  const data = typeof row.data === "string" ? JSON.parse(row.data) : row.data || {};
+  return {
+    id: row.slug || data.name || row.root_id,
+    name: data.name || row.slug || "",
+    display_name: data.displayName || row.title || "",
+    description: data.description || "",
+    version: data.version || "1.0.0",
+    author: data.author || "Unknown",
+    category: data.category || "utilities",
+    icon: data.icon || "\u{1F50C}",
+    status: data.status || "inactive",
+    is_core: data.isCore === true || data.isCore === 1,
+    settings: data.settings,
+    permissions: data.permissions,
+    dependencies: data.dependencies,
+    download_count: data.downloadCount || 0,
+    rating: data.rating || 0,
+    installed_at: row.created_at,
+    activated_at: data.activatedAt || void 0,
+    last_updated: row.updated_at,
+    error_message: data.errorMessage || void 0
+  };
+}
+
+// src/plugins/manifest-registry.ts
+var PLUGIN_REGISTRY = {
+  "ai-search": {
+    "id": "ai-search",
+    "codeName": "ai-search-plugin",
+    "displayName": "AI Search",
+    "description": "Advanced search with Cloudflare AI Search. Full-text search, semantic search, and advanced filtering across all content collections.",
+    "version": "1.0.0",
+    "author": "SonicJS",
+    "category": "content",
+    "iconEmoji": "\u{1F50D}",
+    "is_core": true,
+    "permissions": [
+      "settings:write",
+      "admin:access",
+      "content:read"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "enabled": true,
+      "ai_mode_enabled": true,
+      "selected_collections": [],
+      "dismissed_collections": [],
+      "autocomplete_enabled": true,
+      "cache_duration": 1,
+      "results_limit": 20,
+      "index_media": false
+    },
+    "adminMenu": {
+      "label": "AI Search",
+      "icon": "magnifying-glass",
+      "path": "/admin/plugins/ai-search",
+      "order": 50
+    }
+  },
+  "core-analytics": {
+    "id": "core-analytics",
+    "codeName": "core-analytics",
+    "displayName": "Analytics & Insights",
+    "description": "Core analytics system for tracking page views, user behavior, and content performance. Provides dashboards and reports with real-time metrics",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "seo",
+    "iconEmoji": "\u{1F4CA}",
+    "is_core": true,
+    "permissions": [
+      "analytics:view",
+      "analytics:export"
+    ],
+    "dependencies": [],
+    "defaultSettings": {},
+    "adminMenu": {
+      "label": "Analytics",
+      "icon": "chart-bar",
+      "path": "/admin/analytics",
+      "order": 50
+    }
+  },
+  "core-auth": {
+    "id": "core-auth",
+    "codeName": "core-auth",
+    "displayName": "Authentication System",
+    "description": "Core authentication and user management system with role-based access control, session management, and security features",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "security",
+    "iconEmoji": "\u{1F510}",
+    "is_core": true,
+    "permissions": [
+      "manage:users",
+      "manage:roles",
+      "manage:permissions"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "requiredFields": {
+        "email": {
+          "required": true,
+          "minLength": 5,
+          "label": "Email",
+          "type": "email"
+        },
+        "password": {
+          "required": true,
+          "minLength": 8,
+          "label": "Password",
+          "type": "password"
+        },
+        "firstName": {
+          "required": true,
+          "minLength": 1,
+          "label": "First Name",
+          "type": "text"
+        },
+        "lastName": {
+          "required": true,
+          "minLength": 1,
+          "label": "Last Name",
+          "type": "text"
+        }
+      },
+      "validation": {
+        "emailFormat": true,
+        "passwordRequirements": {
+          "requireUppercase": false,
+          "requireLowercase": false,
+          "requireNumbers": false,
+          "requireSpecialChars": false
+        }
+      },
+      "registration": {
+        "enabled": true,
+        "requireEmailVerification": false,
+        "defaultRole": "viewer"
+      }
+    },
+    "adminMenu": null
+  },
+  "core-cache": {
+    "id": "core-cache",
+    "codeName": "core-cache",
+    "displayName": "Cache System",
+    "description": "Three-tiered caching system with in-memory and KV storage. Provides automatic caching for content, users, media, and API responses with configurable TTL and invalidation patterns.",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS",
+    "category": "system",
+    "iconEmoji": "\u26A1",
+    "is_core": true,
+    "permissions": [
+      "cache.view",
+      "cache.clear",
+      "cache.invalidate"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "enableMemoryCache": true,
+      "enableKVCache": true,
+      "enableDatabaseCache": true,
+      "defaultTTL": 3600
+    },
+    "adminMenu": {
+      "label": "Cache",
+      "icon": "server",
+      "path": "/admin/cache",
+      "order": 60
+    }
+  },
+  "core-media": {
+    "id": "core-media",
+    "codeName": "core-media",
+    "displayName": "Media Manager",
+    "description": "Core media upload and management system with support for images, videos, and documents. Includes automatic optimization, thumbnail generation, and cloud storage integration",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "media",
+    "iconEmoji": "\u{1F4F8}",
+    "is_core": true,
+    "permissions": [
+      "manage:media",
+      "upload:files"
+    ],
+    "dependencies": [],
+    "defaultSettings": {},
+    "adminMenu": {
+      "label": "Media",
+      "icon": "image",
+      "path": "/admin/media",
+      "order": 30
+    }
+  },
+  "database-tools": {
+    "id": "database-tools",
+    "codeName": "database-tools",
+    "displayName": "Database Tools",
+    "description": "Database management and administration tools including migrations, backups, and query execution",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "development",
+    "iconEmoji": "\u{1F5C4}\uFE0F",
+    "is_core": true,
+    "permissions": [
+      "database:admin"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "enableTruncate": true,
+      "enableBackup": true,
+      "enableValidation": true,
+      "requireConfirmation": true
+    },
+    "adminMenu": null
+  },
+  "demo-login-plugin": {
+    "id": "demo-login-plugin",
+    "codeName": "demo-login-plugin",
+    "displayName": "Demo Login",
+    "description": "Quick demo login functionality for testing and demonstrations",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "utilities",
+    "iconEmoji": "\u{1F3AF}",
+    "is_core": false,
+    "permissions": [],
+    "dependencies": [
+      "core-auth"
+    ],
+    "defaultSettings": {
+      "enableNotice": true,
+      "demoEmail": "admin@sonicjs.com",
+      "demoPassword": "sonicjs!"
+    },
+    "adminMenu": null
+  },
+  "easy-mdx": {
+    "id": "easy-mdx",
+    "codeName": "easy-mdx",
+    "displayName": "EasyMDE Markdown Editor",
+    "description": "Lightweight markdown editor with live preview. Provides a simple and efficient editor with markdown support for richtext fields.",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "editor",
+    "iconEmoji": "\u{1F4DD}",
+    "is_core": false,
+    "permissions": [],
+    "dependencies": [],
+    "defaultSettings": {
+      "defaultHeight": 400,
+      "theme": "dark",
+      "toolbar": "full",
+      "placeholder": "Start writing your content..."
+    },
+    "adminMenu": null
+  },
+  "email": {
+    "id": "email",
+    "codeName": "email",
+    "displayName": "Email",
+    "description": "Send transactional emails via Cloudflare Email Service. Subscribes to auth lifecycle events (welcome, password reset, password changed) and runs a 5-minute reconciliation cron against the CF GraphQL Activity Log.",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "utilities",
+    "iconEmoji": "\u{1F4E7}",
+    "is_core": true,
+    "permissions": [
+      "email:manage",
+      "email:send",
+      "email:view-logs"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "provider": "cloudflare",
+      "resendApiKey": "",
+      "fromEmail": "",
+      "fromName": "",
+      "replyTo": "",
+      "logoUrl": "",
+      "cfAccountId": "",
+      "cfEmailApiToken": ""
+    },
+    "adminMenu": {
+      "label": "Email",
+      "icon": "envelope",
+      "path": "/admin/plugins/email",
+      "order": 80
+    }
+  },
+  "forms": {
+    "id": "forms",
+    "codeName": "forms",
+    "displayName": "Forms",
+    "description": "Form builder with Form.io integration, Turnstile CAPTCHA support, and submission management",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "content",
+    "iconEmoji": "\u{1F4CB}",
+    "is_core": true,
+    "permissions": [
+      "forms:manage",
+      "forms:view"
+    ],
+    "dependencies": [],
+    "defaultSettings": {},
+    "adminMenu": {
+      "label": "Forms",
+      "icon": "document-text",
+      "path": "/admin/forms",
+      "order": 30
+    }
+  },
+  "global-variables": {
+    "id": "global-variables",
+    "codeName": "global-variables",
+    "displayName": "Global Variables",
+    "description": "Dynamic content variables with inline token support. Manage key-value variables via admin UI and use {variable_key} syntax in rich text fields for server-side resolution. Includes full CRUD admin page.",
+    "version": "1.1.0",
+    "author": "SonicJS Community",
+    "category": "content",
+    "iconEmoji": "\u{1F524}",
+    "is_core": false,
+    "permissions": [
+      "global-variables:manage",
+      "global-variables:view"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "enableResolution": true,
+      "cacheEnabled": true,
+      "cacheTTL": 300
+    },
+    "adminMenu": {
+      "label": "Global Variables",
+      "icon": "variable",
+      "path": "/admin/global-variables",
+      "order": 45
+    }
+  },
+  "hello-world": {
+    "id": "hello-world",
+    "codeName": "hello-world",
+    "displayName": "Hello World",
+    "description": "A simple Hello World plugin demonstration",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "utilities",
+    "iconEmoji": "\u{1F44B}",
+    "is_core": false,
+    "permissions": [
+      "hello-world:view"
+    ],
+    "dependencies": [],
+    "defaultSettings": {},
+    "adminMenu": {
+      "label": "Hello World",
+      "icon": "hand-raised",
+      "path": "/admin/hello-world",
+      "order": 90
+    }
+  },
+  "lexical-editor": {
+    "id": "lexical-editor",
+    "codeName": "lexical-editor",
+    "displayName": "Lexical Rich Text Editor",
+    "description": "Lexical editor integration for rich text editing. Default rich text editor for SonicJS \u2014 on by default for greenfield installs.",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "editor",
+    "iconEmoji": "\u{1F4DD}",
+    "is_core": true,
+    "defaultActive": true,
+    "permissions": [],
+    "dependencies": [],
+    "defaultSettings": {
+      "defaultHeight": 300,
+      "defaultToolbar": "standard",
+      "placeholder": "Enter content..."
+    },
+    "adminMenu": {
+      "label": "Lexical Editor",
+      "icon": "pencil-square",
+      "path": "/admin/plugins/lexical-editor",
+      "order": 80
+    }
+  },
+  "magic-link-auth": {
+    "id": "magic-link-auth",
+    "codeName": "magic-link-auth",
+    "displayName": "Magic Link Authentication",
+    "description": "Passwordless authentication via email magic links. Users receive a secure one-time link to sign in without entering a password.",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "security",
+    "iconEmoji": "\u{1F517}",
+    "is_core": false,
+    "permissions": [],
+    "dependencies": [
+      "email"
+    ],
+    "defaultSettings": {
+      "linkExpiryMinutes": 15,
+      "rateLimitPerHour": 5,
+      "allowNewUsers": true
+    },
+    "adminMenu": null
+  },
+  "multi-tenant": {
+    "id": "multi-tenant",
+    "codeName": "multi-tenant",
+    "displayName": "Multi-Tenant",
+    "description": "Multi-tenancy for the document model: tenant registry, per-request tenant resolution (header, admin switcher cookie, or domain), and tenant-scoped content isolation. Off by default.",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "utilities",
+    "iconEmoji": "\u{1F3E2}",
+    "is_core": false,
+    "permissions": [
+      "tenants.manage",
+      "tenants.view"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "headerName": "X-Tenant-Id",
+      "subdomainResolution": false,
+      "rootDomain": ""
+    },
+    "adminMenu": {
+      "label": "Tenants",
+      "icon": "building-office",
+      "path": "/admin/tenants",
+      "order": 80
+    }
+  },
+  "oauth-providers": {
+    "id": "oauth-providers",
+    "codeName": "oauth-providers",
+    "displayName": "OAuth Providers",
+    "description": "OAuth2/OIDC social login with GitHub, Google, and more",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "authentication",
+    "iconEmoji": "\u{1F511}",
+    "is_core": true,
+    "permissions": [],
+    "dependencies": [],
+    "defaultSettings": {
+      "providers": {
+        "github": {
+          "clientId": "",
+          "clientSecret": "",
+          "enabled": false
+        },
+        "google": {
+          "clientId": "",
+          "clientSecret": "",
+          "enabled": false
+        }
+      }
+    },
+    "adminMenu": null
+  },
+  "otp-login": {
+    "id": "otp-login",
+    "codeName": "otp-login",
+    "displayName": "OTP Login",
+    "description": "Passwordless authentication via email one-time codes",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "security",
+    "iconEmoji": "\u{1F522}",
+    "is_core": false,
+    "permissions": [
+      "otp:manage",
+      "otp:request",
+      "otp:verify"
+    ],
+    "dependencies": [
+      "email"
+    ],
+    "defaultSettings": {
+      "codeLength": 6,
+      "codeExpiryMinutes": 10,
+      "maxAttempts": 3,
+      "rateLimitPerHour": 5,
+      "allowNewUserRegistration": false,
+      "logoUrl": "",
+      "logoWidth": 150,
+      "logoBorderWidth": 0,
+      "logoBorderColor": "#ffffff",
+      "loginUrl": "",
+      "loginButtonText": ""
+    },
+    "adminMenu": {
+      "label": "OTP Login",
+      "icon": "key",
+      "path": "/admin/plugins/otp-login/settings",
+      "order": 85
+    }
+  },
+  "quill-editor": {
+    "id": "quill-editor",
+    "codeName": "quill-editor",
+    "displayName": "Quill Rich Text Editor",
+    "description": "Quill WYSIWYG editor integration for rich text editing. Lightweight, modern editor with customizable toolbars and dark mode support.",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "editor",
+    "iconEmoji": "\u270D\uFE0F",
+    "is_core": true,
+    "permissions": [],
+    "dependencies": [],
+    "defaultSettings": {
+      "version": "2.0.2",
+      "defaultHeight": 300,
+      "defaultToolbar": "full",
+      "theme": "snow"
+    },
+    "adminMenu": null
+  },
+  "redirect-management": {
+    "id": "redirect-management",
+    "codeName": "redirect-management",
+    "displayName": "Redirect Management",
+    "description": "URL redirect management with exact, partial, and regex matching",
+    "version": "1.0.0",
+    "author": "ahaas",
+    "category": "utilities",
+    "iconEmoji": "\u21AA\uFE0F",
+    "is_core": false,
+    "permissions": [
+      "redirect.manage",
+      "redirect.view"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "enabled": true,
+      "autoOffloadEnabled": false
+    },
+    "adminMenu": {
+      "label": "Redirects",
+      "icon": "arrow-right",
+      "path": "/admin/redirects",
+      "order": 85
+    }
+  },
+  "security-audit": {
+    "id": "security-audit",
+    "codeName": "security-audit",
+    "displayName": "Security Audit",
+    "description": "Security event logging, brute-force detection, and analytics dashboard. Monitors login attempts, registrations, lockouts, and suspicious activity.",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "security",
+    "iconEmoji": "\u{1F6E1}\uFE0F",
+    "is_core": false,
+    "permissions": [
+      "security-audit:view",
+      "security-audit:manage"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "retention": {
+        "daysToKeep": 90,
+        "maxEvents": 1e5,
+        "autoPurge": true
+      },
+      "bruteForce": {
+        "enabled": true,
+        "maxFailedAttemptsPerIP": 10,
+        "maxFailedAttemptsPerEmail": 5,
+        "windowMinutes": 15,
+        "lockoutDurationMinutes": 30,
+        "alertThreshold": 20
+      },
+      "logging": {
+        "logSuccessfulLogins": true,
+        "logLogouts": true,
+        "logRegistrations": true,
+        "logPasswordResets": true,
+        "logPermissionDenied": true
+      }
+    },
+    "adminMenu": {
+      "label": "Security Audit",
+      "icon": "shield-check",
+      "path": "/admin/plugins/security-audit",
+      "order": 85
+    }
+  },
+  "shortcodes": {
+    "id": "shortcodes",
+    "codeName": "shortcodes",
+    "displayName": "Shortcodes",
+    "description": 'Registered shortcode functions for dynamic content. Use [[shortcode_name param="value"]] syntax in rich text fields for server-side resolution. Includes handler registry, CRUD admin, and live preview.',
+    "version": "1.0.0",
+    "author": "SonicJS Community",
+    "category": "content",
+    "iconEmoji": "",
+    "is_core": false,
+    "permissions": [
+      "shortcodes:manage",
+      "shortcodes:view"
+    ],
+    "dependencies": [],
+    "defaultSettings": {},
+    "adminMenu": {
+      "label": "Shortcodes",
+      "icon": "bolt",
+      "path": "/admin/shortcodes",
+      "order": 46
+    }
+  },
+  "stripe": {
+    "id": "stripe",
+    "codeName": "stripe",
+    "displayName": "Stripe Subscriptions",
+    "description": "Stripe subscription management with webhook handling, checkout sessions, and subscription gating",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "payments",
+    "iconEmoji": "\u{1F4B3}",
+    "is_core": true,
+    "permissions": [
+      "stripe:manage",
+      "stripe:view"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "stripeSecretKey": "",
+      "stripeWebhookSecret": "",
+      "stripePriceId": "",
+      "successUrl": "/admin/dashboard",
+      "cancelUrl": "/admin/dashboard"
+    },
+    "adminMenu": {
+      "label": "Stripe",
+      "icon": "credit-card",
+      "path": "/admin/plugins/stripe",
+      "order": 90
+    }
+  },
+  "tinymce-plugin": {
+    "id": "tinymce-plugin",
+    "codeName": "tinymce-plugin",
+    "displayName": "TinyMCE Rich Text Editor",
+    "description": "Powerful WYSIWYG rich text editor for content creation. Provides a full-featured editor with formatting, media embedding, and customizable toolbars for richtext fields.",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "editor",
+    "iconEmoji": "\u{1F4DD}",
+    "is_core": false,
+    "permissions": [],
+    "dependencies": [],
+    "defaultSettings": {
+      "apiKey": "no-api-key",
+      "defaultHeight": 300,
+      "defaultToolbar": "full",
+      "skin": "oxide-dark"
+    },
+    "adminMenu": null
+  },
+  "turnstile": {
+    "id": "turnstile",
+    "codeName": "turnstile-plugin",
+    "displayName": "Cloudflare Turnstile",
+    "description": "CAPTCHA-free bot protection using Cloudflare Turnstile. Provides reusable verification for any form.",
+    "version": "1.0.0",
+    "author": "SonicJS",
+    "category": "security",
+    "iconEmoji": "\u{1F6E1}\uFE0F",
+    "is_core": true,
+    "permissions": [
+      "settings:write",
+      "admin:access"
+    ],
+    "dependencies": [],
+    "defaultSettings": {
+      "siteKey": "",
+      "secretKey": "",
+      "theme": "auto",
+      "size": "normal",
+      "mode": "managed",
+      "appearance": "always",
+      "preClearanceEnabled": false,
+      "preClearanceLevel": "managed",
+      "enabled": false
+    },
+    "adminMenu": {
+      "label": "Turnstile",
+      "icon": "shield-check",
+      "path": "/admin/plugins/turnstile/settings",
+      "order": 100
+    }
+  },
+  "user-profiles": {
+    "id": "user-profiles",
+    "codeName": "user-profiles",
+    "displayName": "User Profiles",
+    "description": "Configurable custom profile fields for users",
+    "version": "1.0.0-beta.1",
+    "author": "SonicJS Team",
+    "category": "users",
+    "iconEmoji": "\u{1F464}",
+    "is_core": true,
+    "permissions": [],
+    "dependencies": [],
+    "defaultSettings": {},
+    "adminMenu": null
+  },
+  "versioning": {
+    "id": "versioning",
+    "codeName": "versioning",
+    "displayName": "Versioning",
+    "description": "View and restore content version history for types with versioning enabled.",
+    "version": "1.0.0",
+    "author": "SonicJS Team",
+    "category": "content",
+    "iconEmoji": "\u{1F551}",
+    "is_core": true,
+    "permissions": [],
+    "dependencies": [],
+    "defaultSettings": {},
+    "adminMenu": null
+  }
+};
+var ALL_PLUGIN_IDS = Object.keys(PLUGIN_REGISTRY);
+ALL_PLUGIN_IDS.filter(
+  (id) => PLUGIN_REGISTRY[id]?.adminMenu !== null
+);
+function findPluginByCodeName(codeName) {
+  return Object.values(PLUGIN_REGISTRY).find((p) => p.codeName === codeName) || PLUGIN_REGISTRY[codeName];
+}
+
+// src/services/plugin-bootstrap.ts
+var BOOTSTRAP_PLUGIN_IDS = [
+  "core-auth",
+  // Collect any registry entries marked defaultActive (e.g. lexical-editor)
+  ...Object.values(PLUGIN_REGISTRY).filter((e) => e.defaultActive === true && e.id !== "core-auth").map((e) => e.id)
+];
+function registryToCorePlugin(entry) {
+  return {
+    id: entry.id,
+    name: entry.codeName,
+    display_name: entry.displayName,
+    description: entry.description,
+    version: entry.version,
+    author: entry.author,
+    category: entry.category,
+    icon: entry.iconEmoji,
+    permissions: entry.permissions,
+    dependencies: entry.dependencies,
+    settings: entry.defaultSettings
+  };
+}
+var PluginBootstrapService = class {
+  constructor(db) {
+    this.db = db;
+    this.pluginService = new PluginService(db);
+  }
+  pluginService;
+  /**
+   * Core plugins derived from the auto-generated plugin registry.
+   * Only plugins listed in BOOTSTRAP_PLUGIN_IDS AND marked is_core=true are auto-installed.
+   * Non-core plugins are available in the registry but not bootstrapped.
+   */
+  CORE_PLUGINS = BOOTSTRAP_PLUGIN_IDS.filter((id) => PLUGIN_REGISTRY[id] !== void 0 && PLUGIN_REGISTRY[id].is_core === true).map((id) => registryToCorePlugin(PLUGIN_REGISTRY[id]));
+  /**
+   * Bootstrap all core plugins - install them if they don't exist
+   */
+  async bootstrapCorePlugins() {
+    console.log("[PluginBootstrap] Starting core plugin bootstrap process...");
+    try {
+      for (const corePlugin of this.CORE_PLUGINS) {
+        await this.ensurePluginInstalled(corePlugin);
+      }
+      console.log(
+        "[PluginBootstrap] Core plugin bootstrap completed successfully"
+      );
+    } catch (error) {
+      console.error("[PluginBootstrap] Error during plugin bootstrap:", error);
+      throw error;
+    }
+  }
+  /**
+   * Ensure a specific plugin is installed
+   */
+  async ensurePluginInstalled(plugin) {
+    try {
+      const existingPlugin = await this.pluginService.getPlugin(plugin.id);
+      if (existingPlugin) {
+        console.log(
+          `[PluginBootstrap] Plugin already installed: ${plugin.display_name} (status: ${existingPlugin.status})`
+        );
+        if (existingPlugin.version !== plugin.version) {
+          console.log(
+            `[PluginBootstrap] Updating plugin version: ${plugin.display_name} from ${existingPlugin.version} to ${plugin.version}`
+          );
+          await this.updatePlugin(plugin);
+        }
+        if (plugin.id === "core-auth" && existingPlugin.status !== "active") {
+          console.log(
+            `[PluginBootstrap] Core-auth plugin is inactive, activating it now...`
+          );
+          await this.pluginService.activatePlugin(plugin.id);
+        }
+      } else {
+        console.log(
+          `[PluginBootstrap] Installing plugin: ${plugin.display_name}`
+        );
+        await this.pluginService.installPlugin({
+          ...plugin,
+          is_core: plugin.name.startsWith("core-")
+        });
+        console.log(
+          `[PluginBootstrap] Activating newly installed plugin: ${plugin.display_name}`
+        );
+        await this.pluginService.activatePlugin(plugin.id);
+      }
+    } catch (error) {
+      console.error(
+        `[PluginBootstrap] Error ensuring plugin ${plugin.display_name}:`,
+        error
+      );
+    }
+  }
+  /**
+   * Update an existing plugin's version/description/permissions/settings
+   */
+  async updatePlugin(plugin) {
+    await this.pluginService.updatePluginVersion(plugin.id, {
+      version: plugin.version,
+      description: plugin.description,
+      permissions: plugin.permissions,
+      settings: plugin.settings || {}
+    });
+  }
+  /**
+   * Check if bootstrap is needed (first run detection)
+   */
+  async isBootstrapNeeded() {
+    try {
+      for (const corePlugin of this.CORE_PLUGINS.filter(
+        (p) => p.name.startsWith("core-")
+      )) {
+        const exists = await this.pluginService.getPlugin(corePlugin.id);
+        if (!exists) {
+          return true;
+        }
+      }
+      return false;
+    } catch (error) {
+      console.error(
+        "[PluginBootstrap] Error checking bootstrap status:",
+        error
+      );
+      return true;
+    }
+  }
+};
+
+// src/services/telemetry-service.ts
+var TelemetryService = class {
+  config;
+  identity = null;
+  enabled = true;
+  eventQueue = [];
+  isInitialized = false;
+  constructor(config) {
+    this.config = {
+      ...getTelemetryConfig(),
+      ...config
+    };
+    this.enabled = this.config.enabled;
+  }
+  /**
+   * Initialize the telemetry service
+   */
+  async initialize(identity) {
+    if (!this.enabled) {
+      if (this.config.debug) {
+        console.log("[Telemetry] Disabled via configuration");
+      }
+      return;
+    }
+    try {
+      this.identity = identity;
+      if (this.config.debug) {
+        console.log("[Telemetry] Initialized with installation ID:", identity.installationId);
+      }
+      this.isInitialized = true;
+      await this.flushQueue();
+    } catch (error) {
+      if (this.config.debug) {
+        console.error("[Telemetry] Initialization failed:", error);
+      }
+      this.enabled = false;
+    }
+  }
+  /**
+   * Track a telemetry event
+   */
+  async track(event, properties) {
+    if (!this.enabled) return;
+    try {
+      const sanitizedProps = this.sanitizeProperties(properties);
+      const enrichedProps = {
+        ...sanitizedProps,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        version: this.getVersion()
+      };
+      if (!this.isInitialized) {
+        this.eventQueue.push({ event, properties: enrichedProps });
+        if (this.config.debug) {
+          console.log("[Telemetry] Queued event:", event, enrichedProps);
+        }
+        return;
+      }
+      if (this.identity && this.config.host) {
+        const payload = {
+          data: {
+            installation_id: this.identity.installationId,
+            event_type: event,
+            properties: enrichedProps,
+            timestamp: enrichedProps.timestamp
+          }
+        };
+        fetch(`${this.config.host}/v1/events`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(payload)
+        }).catch(() => {
+        });
+        if (this.config.debug) {
+          console.log("[Telemetry] Tracked event:", event, enrichedProps);
+        }
+      } else if (this.config.debug) {
+        console.log("[Telemetry] Event (no endpoint):", event, enrichedProps);
+      }
+    } catch (error) {
+      if (this.config.debug) {
+        console.error("[Telemetry] Failed to track event:", error);
+      }
+    }
+  }
+  /**
+   * Track installation started
+   */
+  async trackInstallationStarted(properties) {
+    await this.track("installation_started", properties);
+  }
+  /**
+   * Track installation completed
+   */
+  async trackInstallationCompleted(properties) {
+    await this.track("installation_completed", properties);
+  }
+  /**
+   * Track installation failed
+   */
+  async trackInstallationFailed(error, properties) {
+    await this.track("installation_failed", {
+      ...properties,
+      errorType: sanitizeErrorMessage(error)
+    });
+  }
+  /**
+   * Track dev server started
+   */
+  async trackDevServerStarted(properties) {
+    await this.track("dev_server_started", properties);
+  }
+  /**
+   * Track page view in admin UI
+   */
+  async trackPageView(route, properties) {
+    await this.track("page_viewed", {
+      ...properties,
+      route: sanitizeRoute(route)
+    });
+  }
+  /**
+   * Track error (sanitized)
+   */
+  async trackError(error, properties) {
+    await this.track("error_occurred", {
+      ...properties,
+      errorType: sanitizeErrorMessage(error)
+    });
+  }
+  /**
+   * Track plugin activation
+   */
+  async trackPluginActivated(properties) {
+    await this.track("plugin_activated", properties);
+  }
+  /**
+   * Track migration run
+   */
+  async trackMigrationRun(properties) {
+    await this.track("migration_run", properties);
+  }
+  /**
+   * Track project snapshot — fired on bootstrap to capture runtime project shape.
+   * Arrays serialized as JSON strings (sanitizeProperties strips objects/arrays).
+   */
+  async trackProjectSnapshot(data) {
+    if (!this.identity) {
+      this.identity = { installationId: data.installation_id };
+      this.isInitialized = true;
+    }
+    await this.track("project_snapshot", {
+      installation_id: data.installation_id,
+      collection_names: JSON.stringify(data.collection_names),
+      collection_counts: JSON.stringify(data.collection_counts),
+      active_plugins: JSON.stringify(data.active_plugins),
+      field_type_histogram: JSON.stringify(data.field_type_histogram),
+      doc_total: data.doc_total,
+      sonicjs_version: data.sonicjs_version
+    });
+  }
+  /**
+   * Flush queued events
+   */
+  async flushQueue() {
+    if (this.eventQueue.length === 0) return;
+    const queue = [...this.eventQueue];
+    this.eventQueue = [];
+    for (const { event, properties } of queue) {
+      await this.track(event, properties);
+    }
+  }
+  /**
+   * Sanitize properties to ensure no PII
+   */
+  sanitizeProperties(properties) {
+    if (!properties) return {};
+    const sanitized = {};
+    for (const [key, value] of Object.entries(properties)) {
+      if (value === void 0) continue;
+      if (key === "route" && typeof value === "string") {
+        sanitized[key] = sanitizeRoute(value);
+        continue;
+      }
+      if (key.toLowerCase().includes("error") && typeof value === "string") {
+        sanitized[key] = sanitizeErrorMessage(value);
+        continue;
+      }
+      if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+        sanitized[key] = value;
+      }
+    }
+    return sanitized;
+  }
+  /**
+   * Get SonicJS version
+   */
+  getVersion() {
+    try {
+      if (typeof process !== "undefined" && process.env) {
+        return process.env.SONICJS_VERSION || "2.0.0";
+      }
+      return "2.0.0";
+    } catch {
+      return "unknown";
+    }
+  }
+  /**
+   * Shutdown the telemetry service (no-op for fetch-based telemetry)
+   */
+  async shutdown() {
+  }
+  /**
+   * Enable telemetry
+   */
+  enable() {
+    this.enabled = true;
+  }
+  /**
+   * Disable telemetry
+   */
+  disable() {
+    this.enabled = false;
+  }
+  /**
+   * Check if telemetry is enabled
+   */
+  isEnabled() {
+    return this.enabled;
+  }
+};
+var telemetryInstance = null;
+function getTelemetryService(config) {
+  if (!telemetryInstance) {
+    telemetryInstance = new TelemetryService(config);
+  }
+  return telemetryInstance;
+}
+async function initTelemetry(identity, config) {
+  const service = getTelemetryService(config);
+  await service.initialize(identity);
+  return service;
+}
+function createInstallationIdentity(projectName) {
+  const installationId = generateInstallationId();
+  const identity = { installationId };
+  if (projectName) {
+    identity.projectId = generateProjectId(projectName);
+  }
+  return identity;
+}
+
+export { CollectionRegistry, MULTI_TENANT_PLUGIN_ID, PLUGIN_REGISTRY, PluginBootstrapService, PluginService, TENANT_COOKIE, TelemetryService, collectionRecordToRow, createInstallationIdentity, findPluginByCodeName, getAvailableCollectionNames, getCollectionRegistry, getTelemetryService, getVisibleCollections, initTelemetry, invalidateTenantCache, isCodeCollectionInternal, isDbDocTypeInternal, loadCollectionConfig, loadCollectionConfigs, registerCollections, resetCollectionRegistry, tenantMiddleware, validateCollectionConfig };
+//# sourceMappingURL=chunk-QLFTG3QJ.js.map
+//# sourceMappingURL=chunk-QLFTG3QJ.js.map