@swarmclawai/swarmclaw 0.7.2 → 0.7.4

package/src/app/api/external-agents/route.ts

@@ -0,0 +1,66 @@
+import { NextResponse } from 'next/server'
+import { genId } from '@/lib/id'
+import { formatZodError, ExternalAgentRegisterSchema } from '@/lib/validation/schemas'
+import { loadExternalAgents, saveExternalAgents } from '@/lib/server/storage'
+import { notify } from '@/lib/server/ws-hub'
+import type { ExternalAgentRuntime } from '@/types'
+import { z } from 'zod'
+export const dynamic = 'force-dynamic'
+
+function withDerivedStatus(record: ExternalAgentRuntime): ExternalAgentRuntime {
+  const now = Date.now()
+  const lastSeenAt = typeof record.lastSeenAt === 'number' ? record.lastSeenAt : null
+  const staleMs = 3 * 60_000
+  if (!lastSeenAt) return { ...record, status: record.status || 'offline' }
+  if (record.status === 'offline') return record
+  return {
+    ...record,
+    status: now - lastSeenAt > staleMs ? 'stale' : (record.status || 'online'),
+  }
+}
+
+export async function GET() {
+  const runtimes = loadExternalAgents()
+  const items: ExternalAgentRuntime[] = Object.values(runtimes)
+    .map((item) => withDerivedStatus(item))
+    .sort((a, b) => (b.lastSeenAt || b.updatedAt || 0) - (a.lastSeenAt || a.updatedAt || 0))
+  return NextResponse.json(items)
+}
+
+export async function POST(req: Request) {
+  const raw = await req.json().catch(() => ({}))
+  const parsed = ExternalAgentRegisterSchema.safeParse(raw)
+  if (!parsed.success) {
+    return NextResponse.json(formatZodError(parsed.error as z.ZodError), { status: 400 })
+  }
+  const body = parsed.data
+  const now = Date.now()
+  const items = loadExternalAgents()
+  const id = body.id || `external-${genId()}`
+  const existing = items[id]
+  items[id] = {
+    ...existing,
+    id,
+    name: body.name.trim(),
+    sourceType: body.sourceType,
+    status: body.status || existing?.status || 'online',
+    provider: (body.provider as ExternalAgentRuntime['provider']) || null,
+    model: body.model || null,
+    workspace: body.workspace || null,
+    transport: body.transport || null,
+    endpoint: body.endpoint || null,
+    agentId: body.agentId || null,
+    gatewayProfileId: body.gatewayProfileId || null,
+    capabilities: body.capabilities,
+    labels: body.labels,
+    metadata: body.metadata,
+    tokenStats: body.tokenStats,
+    lastHeartbeatAt: existing?.lastHeartbeatAt || now,
+    lastSeenAt: now,
+    createdAt: existing?.createdAt || now,
+    updatedAt: now,
+  }
+  saveExternalAgents(items)
+  notify('external_agents')
+  return NextResponse.json(items[id])
+}

package/src/app/api/files/open/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import { exec } from 'child_process'
+import { spawn } from 'child_process'
 import fs from 'fs'
 import path from 'path'
 
@@ -19,25 +19,27 @@ export async function POST(req: Request) {
   const isDir = fs.statSync(resolved).isDirectory()
   const platform = process.platform
 
-  // Determine the command to reveal in the OS file manager
-  let cmd: string
+  let command: string
+  let args: string[]
   if (platform === 'darwin') {
-    // macOS: -R reveals in Finder (selects the item), for dirs just open the dir
-    cmd = isDir ? `open "${resolved}"` : `open -R "${resolved}"`
+    command = 'open'
+    args = isDir ? [resolved] : ['-R', resolved]
   } else if (platform === 'win32') {
-    cmd = isDir ? `explorer "${resolved}"` : `explorer /select,"${resolved}"`
+    command = 'explorer'
+    args = isDir ? [resolved] : [`/select,${resolved}`]
   } else {
-    // Linux: xdg-open on the directory containing the file
-    cmd = `xdg-open "${isDir ? resolved : path.dirname(resolved)}"`
+    command = 'xdg-open'
+    args = [isDir ? resolved : path.dirname(resolved)]
   }
 
   return new Promise<NextResponse>((resolve) => {
-    exec(cmd, (err) => {
-      if (err) {
-        resolve(NextResponse.json({ error: err.message }, { status: 500 }))
-      } else {
-        resolve(NextResponse.json({ ok: true }))
-      }
+    const child = spawn(command, args, { stdio: 'ignore' })
+    child.once('error', (err) => {
+      resolve(NextResponse.json({ error: err.message }, { status: 500 }))
+    })
+    child.once('spawn', () => {
+      child.unref()
+      resolve(NextResponse.json({ ok: true }))
     })
   })
 }

package/src/app/api/gateways/[id]/health/route.ts

@@ -0,0 +1,28 @@
+import { NextResponse } from 'next/server'
+import { probeOpenClawHealth } from '@/lib/server/openclaw-health'
+import { loadGatewayProfiles, saveGatewayProfiles } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
+import { notify } from '@/lib/server/ws-hub'
+export const dynamic = 'force-dynamic'
+
+export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const gateways = loadGatewayProfiles()
+  const gateway = gateways[id]
+  if (!gateway) return notFound()
+
+  const result = await probeOpenClawHealth({
+    endpoint: gateway.endpoint,
+    credentialId: gateway.credentialId || null,
+  })
+
+  gateway.status = result.ok ? 'healthy' : (result.authProvided ? 'degraded' : 'offline')
+  gateway.lastCheckedAt = Date.now()
+  gateway.lastError = result.ok ? null : (result.error || result.hint || 'Gateway health check failed.')
+  gateway.lastModelCount = Array.isArray(result.models) ? result.models.length : 0
+  gateway.updatedAt = Date.now()
+  saveGatewayProfiles(gateways)
+  notify('gateways')
+
+  return NextResponse.json(result)
+}

package/src/app/api/gateways/[id]/route.ts

@@ -0,0 +1,79 @@
+import { NextResponse } from 'next/server'
+import { normalizeOpenClawEndpoint } from '@/lib/openclaw-endpoint'
+import { loadAgents, loadGatewayProfiles, saveAgents, saveGatewayProfiles } from '@/lib/server/storage'
+import { mutateItem, notFound, type CollectionOps } from '@/lib/server/collection-helpers'
+import type { Agent, AgentRoutingTarget, GatewayProfile } from '@/types'
+
+const ops: CollectionOps<GatewayProfile> = {
+  load: loadGatewayProfiles,
+  save: saveGatewayProfiles,
+  topic: 'gateways',
+}
+
+function normalizeTags(value: unknown): string[] {
+  if (!Array.isArray(value)) return []
+  return value
+    .map((entry) => (typeof entry === 'string' ? entry.trim() : ''))
+    .filter(Boolean)
+}
+
+export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const body = await req.json().catch(() => ({}))
+  const result = mutateItem(ops, id, (gateway, all) => {
+    if (body.isDefault === true) {
+      for (const [candidateId, candidate] of Object.entries(all)) {
+        if (candidateId === id || !candidate || typeof candidate !== 'object') continue
+        candidate.isDefault = false
+      }
+    }
+    if (body.name !== undefined) gateway.name = String(body.name || '').trim() || gateway.name
+    if (body.endpoint !== undefined) gateway.endpoint = normalizeOpenClawEndpoint(body.endpoint || undefined)
+    if (body.wsUrl !== undefined) gateway.wsUrl = body.wsUrl || null
+    if (body.credentialId !== undefined) gateway.credentialId = body.credentialId || null
+    if (body.status !== undefined) gateway.status = body.status || 'unknown'
+    if (body.notes !== undefined) gateway.notes = body.notes || null
+    if (body.tags !== undefined) gateway.tags = normalizeTags(body.tags)
+    if (body.lastError !== undefined) gateway.lastError = body.lastError || null
+    if (body.lastCheckedAt !== undefined) gateway.lastCheckedAt = body.lastCheckedAt || null
+    if (body.lastModelCount !== undefined) gateway.lastModelCount = body.lastModelCount || null
+    if (body.discoveredHost !== undefined) gateway.discoveredHost = body.discoveredHost || null
+    if (body.discoveredPort !== undefined) gateway.discoveredPort = body.discoveredPort || null
+    if (body.isDefault !== undefined) gateway.isDefault = body.isDefault === true
+    gateway.updatedAt = Date.now()
+    return gateway
+  })
+  if (!result) return notFound()
+  return NextResponse.json(result)
+}
+
+export async function DELETE(_req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const gateways = loadGatewayProfiles()
+  if (!gateways[id]) return notFound()
+  delete gateways[id]
+  saveGatewayProfiles(gateways)
+
+  const agents = loadAgents({ includeTrashed: true })
+  let agentChanged = false
+  for (const agent of Object.values(agents) as Agent[]) {
+    if (agent.gatewayProfileId === id) {
+      agent.gatewayProfileId = null
+      agentChanged = true
+    }
+    if (Array.isArray(agent.routingTargets)) {
+      const nextTargets = agent.routingTargets.map((target: AgentRoutingTarget) => (
+        target.gatewayProfileId === id
+          ? { ...target, gatewayProfileId: null }
+          : target
+      ))
+      if (JSON.stringify(nextTargets) !== JSON.stringify(agent.routingTargets)) {
+        agent.routingTargets = nextTargets
+        agentChanged = true
+      }
+    }
+  }
+  if (agentChanged) saveAgents(agents)
+
+  return NextResponse.json({ ok: true })
+}

package/src/app/api/gateways/route.ts

@@ -0,0 +1,57 @@
+import { NextResponse } from 'next/server'
+import { genId } from '@/lib/id'
+import { normalizeOpenClawEndpoint } from '@/lib/openclaw-endpoint'
+import { getGatewayProfiles } from '@/lib/server/agent-runtime-config'
+import { loadGatewayProfiles, saveGatewayProfiles } from '@/lib/server/storage'
+import { notify } from '@/lib/server/ws-hub'
+export const dynamic = 'force-dynamic'
+
+function normalizeTags(value: unknown): string[] {
+  if (!Array.isArray(value)) return []
+  return value
+    .map((entry) => (typeof entry === 'string' ? entry.trim() : ''))
+    .filter(Boolean)
+}
+
+export async function GET() {
+  return NextResponse.json(getGatewayProfiles('openclaw'))
+}
+
+export async function POST(req: Request) {
+  const body = await req.json().catch(() => ({}))
+  const endpoint = normalizeOpenClawEndpoint(body.endpoint || undefined)
+  const now = Date.now()
+  const gateways = loadGatewayProfiles()
+  const id = body.id || `gateway-${genId()}`
+  const isDefault = body.isDefault === true
+
+  if (isDefault) {
+    for (const gateway of Object.values(gateways) as Array<Record<string, unknown>>) {
+      gateway.isDefault = false
+    }
+  }
+
+  gateways[id] = {
+    id,
+    name: typeof body.name === 'string' && body.name.trim() ? body.name.trim() : 'OpenClaw Gateway',
+    provider: 'openclaw',
+    endpoint,
+    wsUrl: body.wsUrl || null,
+    credentialId: body.credentialId || null,
+    status: body.status || 'unknown',
+    notes: typeof body.notes === 'string' ? body.notes : null,
+    tags: normalizeTags(body.tags),
+    lastError: null,
+    lastCheckedAt: null,
+    lastModelCount: null,
+    discoveredHost: typeof body.discoveredHost === 'string' ? body.discoveredHost : null,
+    discoveredPort: typeof body.discoveredPort === 'number' ? body.discoveredPort : null,
+    isDefault,
+    createdAt: now,
+    updatedAt: now,
+  }
+
+  saveGatewayProfiles(gateways)
+  notify('gateways')
+  return NextResponse.json(gateways[id])
+}

package/src/app/api/memory/maintenance/route.ts

@@ -1,6 +1,9 @@
 import { NextResponse } from 'next/server'
+import path from 'path'
 import { getMemoryDb } from '@/lib/server/memory-db'
 import { loadSettings } from '@/lib/server/storage'
+import { syncAllSessionArchiveMemories } from '@/lib/server/session-archive-memory'
+import { DATA_DIR } from '@/lib/server/data-dir'
 
 function parseBool(value: unknown, fallback: boolean): boolean {
   if (typeof value === 'boolean') return value
@@ -33,10 +36,13 @@ export async function GET(req: Request) {
     24 * 365,
   )
   const analyzed = db.analyzeMaintenance(ttlHours)
+  const archiveSync = syncAllSessionArchiveMemories()
   return NextResponse.json({
     ok: true,
     ttlHours,
     analyzed,
+    archiveSync,
+    archiveExportDir: path.join(DATA_DIR, 'session-archives'),
   })
 }
 
@@ -46,6 +52,9 @@ export async function POST(req: Request) {
   const db = getMemoryDb()
   const ttlHours = parseIntBounded(body?.ttlHours ?? settings.memoryWorkingTtlHours, 24, 1, 24 * 365)
   const maxDeletes = parseIntBounded(body?.maxDeletes, 500, 1, 20_000)
+  const archiveSync = body?.syncArchives === false
+    ? { synced: 0, skipped: 0, sessionIds: [] }
+    : syncAllSessionArchiveMemories()
   const result = db.maintain({
     ttlHours,
     maxDeletes,
@@ -57,7 +66,8 @@ export async function POST(req: Request) {
     ok: true,
     ttlHours,
     maxDeletes,
+    archiveSync,
+    archiveExportDir: path.join(DATA_DIR, 'session-archives'),
     ...result,
   })
 }
-

package/src/app/api/openclaw/agent-files/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { ensureGatewayConnected } from '@/lib/server/openclaw-gateway'
+import { resolveOpenClawGatewayAgentId } from '@/lib/server/openclaw-agent-resolver'
 
 const AGENT_FILES = ['SOUL.md', 'IDENTITY.md', 'USER.md', 'TOOLS.md', 'HEARTBEAT.md', 'MEMORY.md', 'AGENTS.md'] as const
 
@@ -16,12 +17,24 @@ export async function GET(req: Request) {
     return NextResponse.json({ error: 'OpenClaw gateway not connected' }, { status: 503 })
   }
 
+  let gatewayAgentId: string
+  try {
+    gatewayAgentId = await resolveOpenClawGatewayAgentId(agentId, gw)
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : String(err)
+    const status = message.includes('not an OpenClaw agent') ? 400 : 404
+    return NextResponse.json({ error: message }, { status })
+  }
+
   const files: Record<string, { content: string; error?: string }> = {}
   await Promise.all(
     AGENT_FILES.map(async (filename) => {
       try {
-        const result = await gw.rpc('agents.files.get', { agentId, filename }) as { content?: string } | undefined
-        files[filename] = { content: result?.content ?? '' }
+        const result = await gw.rpc('agents.files.get', {
+          agentId: gatewayAgentId,
+          name: filename,
+        }) as { file?: { content?: string } } | undefined
+        files[filename] = { content: result?.file?.content ?? '' }
       } catch (err: unknown) {
         files[filename] = { content: '', error: err instanceof Error ? err.message : String(err) }
       }
@@ -48,10 +61,20 @@ export async function PUT(req: Request) {
   }
 
   try {
-    await gw.rpc('agents.files.set', { agentId, filename, content: content ?? '' })
+    const gatewayAgentId = await resolveOpenClawGatewayAgentId(agentId, gw)
+    await gw.rpc('agents.files.set', {
+      agentId: gatewayAgentId,
+      name: filename,
+      content: content ?? '',
+    })
     return NextResponse.json({ ok: true })
   } catch (err: unknown) {
     const message = err instanceof Error ? err.message : String(err)
-    return NextResponse.json({ error: message }, { status: 502 })
+    const status = message.includes('not an OpenClaw agent')
+      ? 400
+      : message.includes('not found')
+        ? 404
+        : 502
+    return NextResponse.json({ error: message }, { status })
   }
 }

package/src/app/api/openclaw/gateway/route.ts

@@ -5,6 +5,7 @@ import { ensureGatewayConnected, getGateway, disconnectGateway, manualConnect }
 export async function POST(req: Request) {
   const body = await req.json()
   const { method, params } = body as { method?: string; params?: Record<string, unknown> }
+  const profileId = typeof params?.profileId === 'string' ? params.profileId : undefined
   if (!method || typeof method !== 'string') {
     return NextResponse.json({ error: 'Missing RPC method' }, { status: 400 })
   }
@@ -14,7 +15,7 @@ export async function POST(req: Request) {
     try {
       const url = (params?.url as string) || undefined
       const token = (params?.token as string) || undefined
-      const ok = await manualConnect(url, token)
+      const ok = await manualConnect(url, token, profileId)
       return NextResponse.json({ ok })
     } catch (err: unknown) {
       return NextResponse.json({ ok: false, error: err instanceof Error ? err.message : String(err) }, { status: 502 })
@@ -22,13 +23,13 @@ export async function POST(req: Request) {
   }
 
   if (method === 'gateway.disconnect') {
-    disconnectGateway()
+    disconnectGateway(profileId)
     return NextResponse.json({ ok: true })
   }
 
   // Reload mode get/set
   if (method === 'gateway.reload-mode.get') {
-    const gw = await ensureGatewayConnected()
+    const gw = await ensureGatewayConnected({ profileId })
     if (!gw) return NextResponse.json({ error: 'Not connected' }, { status: 503 })
     try {
       const config = await gw.rpc('config.get') as Record<string, unknown> | undefined
@@ -40,7 +41,7 @@ export async function POST(req: Request) {
   }
 
   if (method === 'gateway.reload-mode.set') {
-    const gw = await ensureGatewayConnected()
+    const gw = await ensureGatewayConnected({ profileId })
     if (!gw) return NextResponse.json({ error: 'Not connected' }, { status: 503 })
     try {
       await gw.rpc('config.set', { reloadMode: params?.mode })
@@ -51,7 +52,7 @@ export async function POST(req: Request) {
   }
 
   // General RPC proxy
-  const gw = await ensureGatewayConnected()
+  const gw = await ensureGatewayConnected({ profileId })
   if (!gw) {
     return NextResponse.json({ error: 'OpenClaw gateway not connected' }, { status: 503 })
   }
@@ -66,7 +67,9 @@ export async function POST(req: Request) {
 }
 
 /** GET — check gateway connection status */
-export async function GET() {
-  const gw = getGateway()
+export async function GET(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const profileId = searchParams.get('profileId') || undefined
+  const gw = getGateway(profileId || undefined)
   return NextResponse.json({ connected: !!gw?.connected })
 }

package/src/app/api/openclaw/skills/route.ts

@@ -1,8 +1,10 @@
 import { NextResponse } from 'next/server'
 import { ensureGatewayConnected } from '@/lib/server/openclaw-gateway'
+import { resolveOpenClawGatewayAgentId } from '@/lib/server/openclaw-agent-resolver'
+import { normalizeOpenClawSkillsPayload } from '@/lib/server/openclaw-skills-normalize'
 import { loadAgents, saveAgents } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
-import type { OpenClawSkillEntry, SkillAllowlistMode } from '@/types'
+import type { SkillAllowlistMode } from '@/types'
 
 /** GET ?agentId=X — fetch skills from gateway with eligibility */
 export async function GET(req: Request) {
@@ -18,11 +20,17 @@ export async function GET(req: Request) {
   }
 
   try {
-    const result = await gw.rpc('skills.status', { agentId }) as OpenClawSkillEntry[] | undefined
-    return NextResponse.json(result ?? [])
+    const gatewayAgentId = await resolveOpenClawGatewayAgentId(agentId, gw)
+    const result = await gw.rpc('skills.status', { agentId: gatewayAgentId }) as unknown
+    return NextResponse.json(normalizeOpenClawSkillsPayload(result))
   } catch (err: unknown) {
     const message = err instanceof Error ? err.message : String(err)
-    return NextResponse.json({ error: message }, { status: 502 })
+    const status = message.includes('not an OpenClaw agent')
+      ? 400
+      : message.includes('not found')
+        ? 404
+        : 502
+    return NextResponse.json({ error: message }, { status })
   }
 }
 

package/src/app/api/plugins/dependencies/route.ts

@@ -0,0 +1,24 @@
+import { NextResponse } from 'next/server'
+import { getPluginManager } from '@/lib/server/plugins'
+
+export async function POST(req: Request) {
+  const body = await req.json()
+  const filename = typeof body?.filename === 'string' ? body.filename : ''
+  const packageManager = typeof body?.packageManager === 'string' ? body.packageManager : undefined
+
+  if (!filename) {
+    return NextResponse.json({ error: 'filename is required' }, { status: 400 })
+  }
+
+  try {
+    const result = await getPluginManager().installPluginDependencies(filename, {
+      packageManager: packageManager as import('@/types').PluginPackageManager | undefined,
+    })
+    return NextResponse.json({ ok: true, dependencyInfo: result })
+  } catch (err: unknown) {
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : String(err) },
+      { status: 400 },
+    )
+  }
+}

package/src/app/api/plugins/install/route.ts

@@ -1,110 +1,33 @@
 import { NextResponse } from 'next/server'
-import fs from 'fs'
-import path from 'path'
-import { getPluginManager } from '@/lib/server/plugins'
-
-const PLUGINS_DIR = path.join(process.cwd(), 'data', 'plugins')
-
-function toRawUrl(url: string): string {
-  if (url.includes('github.com') && url.includes('/blob/')) {
-    return url.replace('github.com', 'raw.githubusercontent.com').replace('/blob/', '/')
-  }
-  if (url.includes('gist.github.com')) {
-    return url.endsWith('/raw') ? url : `${url}/raw`
-  }
-  return url
-}
-
-function normalizeMarketplaceUrl(url: string): string {
-  const trimmed = typeof url === 'string' ? url.trim() : ''
-  if (!trimmed) return trimmed
-
-  let normalized = trimmed
-    .replace('github.com/swarmclawai/plugins/', 'github.com/swarmclawai/swarmforge/')
-    .replace('raw.githubusercontent.com/swarmclawai/plugins/', 'raw.githubusercontent.com/swarmclawai/swarmforge/')
-
-  normalized = toRawUrl(normalized)
-
-  // Legacy registry entries used master and old repo names.
-  normalized = normalized
-    .replace('/swarmclawai/swarmforge/master/', '/swarmclawai/swarmforge/main/')
-    .replace('/swarmclawai/plugins/master/', '/swarmclawai/swarmforge/main/')
-    .replace('/swarmclawai/plugins/main/', '/swarmclawai/swarmforge/main/')
-
-  return normalized
-}
+import { getPluginManager, sanitizePluginFilename } from '@/lib/server/plugins'
 
 export async function POST(req: Request) {
   const body = await req.json()
-  const { url, filename } = body
-  const rawUrl = normalizeMarketplaceUrl(url)
+  const url = typeof body?.url === 'string' ? body.url : ''
+  const filename = typeof body?.filename === 'string' ? body.filename : ''
 
-  // Validate URL
-  if (!url || typeof url !== 'string' || !url.startsWith('https://')) {
+  if (!url || !url.startsWith('https://')) {
     return NextResponse.json(
       { error: 'URL must be a valid HTTPS URL' },
       { status: 400 },
     )
   }
 
-  // Validate filename
-  if (!filename || typeof filename !== 'string' || !filename.endsWith('.js')) {
-    return NextResponse.json(
-      { error: 'Filename must end in .js' },
-      { status: 400 },
-    )
-  }
-
-  // Path traversal protection
-  const sanitized = path.basename(filename)
-  if (sanitized !== filename || filename.includes('..')) {
-    return NextResponse.json(
-      { error: 'Invalid filename' },
-      { status: 400 },
-    )
-  }
-
   try {
-    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(15_000) })
-    if (!res.ok) {
-      return NextResponse.json(
-        { error: `Download failed (HTTP ${res.status}) from ${rawUrl}` },
-        { status: 502 },
-      )
-    }
-    const contentType = res.headers.get('content-type') || ''
-    let code = await res.text()
-
-    // Reject HTML responses (likely a GitHub page, not raw content)
-    if (contentType.includes('text/html') && code.includes('<!DOCTYPE')) {
-      return NextResponse.json(
-        { error: 'URL returned an HTML page instead of JavaScript. Use a raw/direct link to the .js file.' },
-        { status: 400 },
-      )
-    }
-
-    // Compatibility fix: Strip node-fetch requires if present, as modern Node has global fetch
-    code = code.replace(/const\s+fetch\s*=\s*require\(['"]node-fetch['"]\);?/g, '// node-fetch stripped for compatibility')
-    code = code.replace(/import\s+fetch\s+from\s+['"]node-fetch['"];?/g, '// node-fetch stripped for compatibility')
-
-    // Ensure plugins directory exists
-    if (!fs.existsSync(PLUGINS_DIR)) {
-      fs.mkdirSync(PLUGINS_DIR, { recursive: true })
-    }
-
-    const dest = path.join(PLUGINS_DIR, sanitized)
-    fs.writeFileSync(dest, code, 'utf8')
-
-    // Force plugin manager to re-scan so the new plugin appears in listings
-    getPluginManager().reload()
-
-    return NextResponse.json({ ok: true, filename: sanitized })
+    const sanitizedFilename = sanitizePluginFilename(filename)
+    const installed = await getPluginManager().installPluginFromUrl(url, sanitizedFilename)
+    return NextResponse.json({ ok: true, filename: installed.filename, hash: installed.sourceHash })
   } catch (err: unknown) {
     const msg = err instanceof Error ? err.message : String(err)
-    const isTimeout = msg.includes('abort') || msg.includes('timeout')
+    const isTimeout = /abort|timeout/i.test(msg)
+    const status = /valid HTTPS URL|Filename|Invalid filename|HTML page|too large/i.test(msg)
+      ? 400
+      : isTimeout
+        ? 504
+        : 500
     return NextResponse.json(
-      { error: isTimeout ? 'Download timed out — the plugin URL may be unreachable' : `Install failed: ${msg}` },
-      { status: isTimeout ? 504 : 500 },
+      { error: isTimeout ? 'Download timed out — the plugin URL may be unreachable' : msg },
+      { status },
     )
   }
 }